----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 12, 2001 9:23 AM Subject: Firewalls digest, Vol 1 #256 - 13 msgs > Send Firewalls mailing list submissions to > [EMAIL PROTECTED] > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.gnac.net/mailman/listinfo/firewalls > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Firewalls digest..." > > > Today's Topics: > > 1. FW1 log encryption? ([EMAIL PROTECTED]) > 2. (no subject) (william.wells) > 3. Re: Secure lan communication (part 2)? (Bernd Eckenfels) > 4. Re: Secure lan communication (part 2)? (Bernd Eckenfels) > 5. Creating Firewall based on linux (rym) > 6. RE: Creating Firewall based on linux (Rodel P Hipolito) > 7. RE: (no subject) ([EMAIL PROTECTED]) > 8. WINS with PIX (Johnston Mark) > 9. Re: WINS with PIX (Volker Tanger) > 10. Re: WINS with PIX (bob bobing) > 11. Cequrux Firewall (Warren van Eyssen) > 12. Cisco Security Advisory: Vulnerable SSL implementation in iCDN (Cisco Systems Product Security Incident Response Team) > 13. Re: Creating Firewall based on linux (Bruce Bauer) > > --__--__-- > > Message: 1 > Subject: FW1 log encryption? > To: [EMAIL PROTECTED] > From: [EMAIL PROTECTED] > Date: Tue, 11 Sep 2001 13:49:36 -0700 > > We are running Checkpoint FW1 4.1 at multiple locations. Currently, > each location is running as it's own management station, thereby logging to > itself. I am in the process of breaking out the management abilities to one > central location. Should I be concerned with the logs being sent through > the internet, or are they being encrypted in some way? My other option is > using the management stations through the VPN's, but I do not want to try > to figure that out if I don't have to. Also, if the VPN goes down, then > goes my ability to manage the firewalls. > > So to summarize, are the firewall logs being encrypted by default? > > Scott > > > > --__--__-- > > Message: 2 > From: "william.wells" <[EMAIL PROTECTED]> > To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > Date: Tue, 11 Sep 2001 17:38:05 -0500 > Subject: (no subject) > > My PC is loaded with intrusion detection and other types of software. For > the first time, AOL has tripped one of those alarms. The message indicated > that a connection from AOL's system 172.165.224.93 (ACA5E05D.ipt.aol.com) > attempted to scan my PC on port 80 with the URL of: > GET /default.ida?XXXXXXXXX...XXX%u9090%u685...... > > I've currently got AOL disabled at my firewall as a result. Normally, the > firewall only lets ports 5190 out and only to AOL's systems. The implication > of this is that, once connected to AOL, they allow both inbound and outbound > connections. The system (172.165.224.93) also isn't one of the permitted IP > addresses for which the firewall will allow connections to. A traceroute, > however, clearly showed that the packet when through AOL's adapter running > on Windows. > > Comments? > > --__--__-- > > Message: 3 > Date: Wed, 12 Sep 2001 05:23:26 +0200 > From: Bernd Eckenfels <[EMAIL PROTECTED]> > To: "Paul D. Robertson" <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Subject: Re: Secure lan communication (part 2)? > > On Mon, Sep 10, 2001 at 08:35:18PM -0400, Paul D. Robertson wrote: > > It's not *better*, it's *cheaper* > > and slower. > > Greetings > Bernd > > --__--__-- > > Message: 4 > Date: Wed, 12 Sep 2001 05:24:38 +0200 > From: Bernd Eckenfels <[EMAIL PROTECTED]> > To: Brett Lymn <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Subject: Re: Secure lan communication (part 2)? > > On Tue, Sep 11, 2001 at 10:01:35AM +0930, Brett Lymn wrote: > > Basically, because a carefully crafted packet can be made to jump > > vlans. The tagging on the vlan is just a field in the ethernet packet > > which can be set by the client, > > only if the client is attached to a trunk port or if the switch is broken. > > Greetings > Bernd > > --__--__-- > > Message: 5 > From: "rym" <[EMAIL PROTECTED]> > To: "firewall" <[EMAIL PROTECTED]> > Subject: Creating Firewall based on linux > Date: Wed, 12 Sep 2001 16:05:40 -0700 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > Hope this is not too much to ask the list. Im gonna be > implementing a firewall in this way. > > > nic0 _______ nic 1 > Router--------> | | -----> Secured > Database Server > | |-----> > DMZ > |||||||||||||||||| nic > 2 > Firewall > > Im gonna be running a LINUX with 3Nic cards. Any > recommend readings as to where I can start ? > > Thanks > > > rym > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> > > iQA/AwUBO5/qP3wIYpm2JlqMEQLEuQCgq4RDsaiNjXkW47dl5u58sEcnW1AAn1zG > z2ExjBA/Ee8NJMzdr4obwu4i > =kbba > -----END PGP SIGNATURE----- > > > > --__--__-- > > Message: 6 > From: "Rodel P Hipolito" <[EMAIL PROTECTED]> > To: "rym" <[EMAIL PROTECTED]>, "firewall" <[EMAIL PROTECTED]> > Subject: RE: Creating Firewall based on linux > Date: Wed, 12 Sep 2001 16:26:29 +0800 > > Hi rym, > > Well, you can use IPchains if that would be the case. you can go to > www.linuxhelp.com > > regards, > > Rodel P Hipolito > Systems and Network Services > Ecommsite Solutions, Inc. > 30th Floor IBM Plaza, > Eastwood City Cyberpark > E.Rodriguez Jr. Ave. Quezon City. > Email: [EMAIL PROTECTED] > Tel.No. +632-9122764 loc. 102 > Fax No. +632-9122764 loc. 110 > http://www.ecommsite.com > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of rym > Sent: Thursday, September 13, 2001 7:06 AM > To: firewall > Subject: Creating Firewall based on linux > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > Hope this is not too much to ask the list. Im gonna be > implementing a firewall in this way. > > > nic0 _______ nic 1 > Router--------> | | -----> Secured > Database Server > | |-----> > DMZ > |||||||||||||||||| nic > 2 > Firewall > > Im gonna be running a LINUX with 3Nic cards. Any > recommend readings as to where I can start ? > > Thanks > > > rym > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> > > iQA/AwUBO5/qP3wIYpm2JlqMEQLEuQCgq4RDsaiNjXkW47dl5u58sEcnW1AAn1zG > z2ExjBA/Ee8NJMzdr4obwu4i > =kbba > -----END PGP SIGNATURE----- > > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > > > --__--__-- > > Message: 7 > Date: Wed, 12 Sep 2001 05:27:55 -0700 > From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED], '[EMAIL PROTECTED], > [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: RE: (no subject) > > > maybe trying to know which machines are http servers - here in brazil such adsl linkz are with some important (53, 80, 119, 443, 8080) closed, as contracts states that we cannot build a dominium with 'this' link (the open link is somewhat pricier). > > >that a connection from AOL's system 172.165.224.93 (ACA5E05D.ipt.aol.com) > >attempted to scan my PC on port 80 with the URL of: > > > > sauda��es, > irado furioso com tudo > linux user 179402 > > Padre Marcelo Rossi (vulgo O Mala, TeViNaTV) � mosca nova na mesma > mer*�&% de sempre. > > por favor, clique aqui: http://www.thehungersite.com > e aqui tamb�m: http://cf6.uol.com.br/umminuto/ > > ------------------------------------------------------------ > Shop Smart Compare Prices on Name-Brand Products from Name-Brand Stores!! > http://www.smartshop.com/cgi-bin/main.cgi?ssa=4099 > > --__--__-- > > Message: 8 > From: Johnston Mark <[EMAIL PROTECTED]> > To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > Subject: WINS with PIX > Date: Wed, 12 Sep 2001 15:26:28 +0200 > > This message is in MIME format. Since your mail reader does not understand > this format, some or all of this message may not be legible. > > ------_=_NextPart_001_01C13B8E.874BC850 > Content-Type: text/plain; > charset="iso-8859-1" > > Hi all, > > I have set up a PIX firewall with VPN capabilities. Everything seems to be > working except for WINS. I dont want to go through the whole configuration, > but I'm calling on anyone that has run into the same problem or can give me > any pointers. > I know its not much to work with ...... > > Cheers > Mark > > ------_=_NextPart_001_01C13B8E.874BC850 > Content-Type: text/html; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> > <HTML> > <HEAD> > <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = > charset=3Diso-8859-1"> > <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = > 5.5.2653.12"> > <TITLE>WINS with PIX</TITLE> > </HEAD> > <BODY> > > <P><FONT SIZE=3D2>Hi all,</FONT> > </P> > > <P><FONT SIZE=3D2>I have set up a PIX firewall with VPN capabilities. = > Everything seems to be working except for WINS. I dont want to go = > through the whole configuration, but I'm calling on anyone that has run = > into the same problem or can give me any pointers.</FONT></P> > > <P><FONT SIZE=3D2>I know its not much to work with ......</FONT> > </P> > > <P><FONT SIZE=3D2>Cheers</FONT> > <BR><FONT SIZE=3D2>Mark</FONT> > </P> > > </BODY> > </HTML> > ------_=_NextPart_001_01C13B8E.874BC850-- > > --__--__-- > > Message: 9 > Date: Wed, 12 Sep 2001 16:00:15 +0200 > From: "Volker Tanger" <[EMAIL PROTECTED]> > Organization: DiSCON GmbH > To: Johnston Mark <[EMAIL PROTECTED]> > Cc: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > Subject: Re: WINS with PIX > > Greetings! > > Johnston Mark schrieb: > > > I have set up a PIX firewall with VPN capabilities. Everything seems > > to be working except for WINS. I dont want to go through the whole > > configuration, but I'm calling on anyone that has run into the same > > problem or can give me any pointers. > > Which WINS? I guess setting up a WINS server and pointing the clients > to it should do the work. > > NETBIOS name resolution (often confused with WINS) is broadcast-based > which probably does not across networks with different IP addresses > (e.g. local 10.0.0.0/8, remote 192.168.0.0/16). > > Bye > Volker > > > > -- > > Volker Tanger <[EMAIL PROTECTED]> > Wrangelstr. 100, 10997 Berlin, Germany > DiSCON GmbH - Internet Solutions > http://www.discon.de/ > > > > --__--__-- > > Message: 10 > Date: Wed, 12 Sep 2001 07:51:03 -0700 (PDT) > From: bob bobing <[EMAIL PROTECTED]> > Subject: Re: WINS with PIX > To: Volker Tanger <[EMAIL PROTECTED]>, > Johnston Mark <[EMAIL PROTECTED]> > Cc: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > > From what i understand lmhosts is the quick and easy > way to fix the broadcast netbios problem. > > NETBIOS name resolution (often confused with WINS) > > is broadcast-based > --- Volker Tanger <[EMAIL PROTECTED]> wrote: > > Greetings! > > > > Johnston Mark schrieb: > > > > > I have set up a PIX firewall with VPN > > capabilities. Everything seems > > > to be working except for WINS. I dont want to go > > through the whole > > > configuration, but I'm calling on anyone that has > > run into the same > > > problem or can give me any pointers. > > > > Which WINS? I guess setting up a WINS server and > > pointing the clients > > to it should do the work. > > > > NETBIOS name resolution (often confused with WINS) > > is broadcast-based > > which probably does not across networks with > > different IP addresses > > (e.g. local 10.0.0.0/8, remote 192.168.0.0/16). > > > > Bye > > Volker > > > > > > > > -- > > > > Volker Tanger <[EMAIL PROTECTED]> > > Wrangelstr. 100, 10997 Berlin, Germany > > DiSCON GmbH - Internet Solutions > > http://www.discon.de/ > > > > > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > > > __________________________________________________ > Do You Yahoo!? > Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger > http://im.yahoo.com > > --__--__-- > > Message: 11 > From: Warren van Eyssen <[EMAIL PROTECTED]> > To: "Firewalls (E-mail) (E-mail)" <[EMAIL PROTECTED]> > Subject: Cequrux Firewall > Date: Wed, 12 Sep 2001 17:12:25 +0200 > > Hi all > > Can anybody give me a web site that has a decent knowledgebase on the > Cequrux firewall > > > Regards, > > > > Warren van Eyssen > > Systems Engineer - CNE, Citrix CCA, Compaq ASE, IBM PSS > > Lan Workgroup Solutions > > Tel: (021) 683-5390 > > Fax: (021) 683-9141 > > Mobile: 082-892-6960 > > Email: [EMAIL PROTECTED] > > > > Confidentiality Notice > > This communication and the information it contains is intended for the > > person(s) or organisation(s) named above and for no other person(s) or > > organisation(s). The content of this communication may be confidential, > > legally privileged and protected. Unauthorised use, copying or disclosure > > of any part of this communication may be unlawful. If you have received > > this communication in error, please remove it from your system. > > > > --__--__-- > > Message: 12 > Date: Wed, 12 Sep 2001 17:03:05 +0100 (BST) > To: [EMAIL PROTECTED] > Subject: Cisco Security Advisory: Vulnerable SSL implementation in iCDN > From: Cisco Systems Product Security Incident Response Team <[EMAIL PROTECTED]> > Reply-To: Cisco Systems Product Security Incident Response Team <[EMAIL PROTECTED]> > > -----BEGIN PGP SIGNED MESSAGE----- > > > Cisco Security Advisory: Vulnerable SSL implementation in iCDN > > Revision 1.0 > > For public release 2001 September 12 08:00 (GMT -0800) > > Summary > > A security vulnerability has been discovered in version 3.x of the RSA > BSAFE SSL-J Software Developer Kit made by RSA Security. This > vulnerability enables an attacker to establish a Secure Socket Layer > (SSL) session with the server, bypassing the client authentication and > using a bogus client certificate. The server must have been developed > using a vulnerable RSA BSAFE SSL-J Software Development Kit (SDK). > Servers based on other libraries are not known to be vulnerable to > this issue. For further details regarding this vulnerability, see > http://www.rsasecurity.com/support/bsafe/index.html > > Cisco product affected by vulnerable library is iCDN - Internet > Content Distribution Network. The only vulnerable version is iCDN 2.0. > This vulnerability has been fixed in the version 2.0.1. > > No other Cisco product is vulnerable. > > There is no workaround for this vulnerability. > > This advisory is available at the > http://www.cisco.com/warp/public/707/SSL-J-pub.html > > Affected Products > > The only product affected is iCDN 2.0. iCDN 1.0 is not vulnerable > because it does not contain the RSA BSAFE SSL-J library. > > This vulnerability has been fixed in release 2.0.1 > > No other Cisco products are affected. > > Details > > SSL as a protocol has the notion of a "session", which can be loosely > described as a set of security parameters (such as the "master > secret") which are shared between a client and server (See RFC2246, > Appendix B). The creation of a session incurs the greatest penalty in > terms of cryptographic operations, so the obvious optimization is to > cache the sessions parameters. > > The problem is that, if an error occurs during the client-server > handshake, the server might, under certain conditions, store the > session's ID in the cache rather than discarding it. If the same > client then attempts a second connection, the server cache will > already contain the session ID and the shorter version of the SSL > handshake will be performed. Consequently, the server will skip the > client authentication phase and the connection will proceed as if the > client had successfully authenticated. > > For further details regarding this vulnerability see > http://www.rsasecurity.com/support/bsafe/index.html > > This vulnerability is documented as Cisco Bug ID CSCdu68211 > > Impact > > An attacker can gain the access to the server over an SSL connection. > Once logged into the server, an attacker can access and change every > accessible parameter of the system. > > Software Versions and Fixes > > The iCDN 1.0 is not vulnerable since it does not contain the > vulnerable library. > > iCDN 2.0.1 has fixed this vulnerability. It is based on a patched RSA > BSAFE SSL-J SDK provided by RSA Security. > > Obtaining Fixed Software > > Cisco is offering free software upgrades to eliminate this > vulnerability for all affected customers. > > Customers with contracts should obtain upgraded software through their > regular update channels. For most customers, this means that upgrades > should be obtained through the Software Center on Cisco's Worldwide > Web site at http://www.cisco.com. > > Customers whose Cisco products are provided or maintained through > prior or existing agreement with third-party support organizations > such as Cisco Partners, authorized resellers, or service providers > should contact that support organization for assistance with the > upgrade, which should be free of charge. > > Customers who purchase direct from Cisco but who do not hold a Cisco > service contract, and customers who purchase through third party > vendors but are unsuccessful at obtaining fixed software through their > point of sale, should get their upgrades by contacting the Cisco > Technical Assistance Center (TAC). TAC contacts are as follows: > > * +1 800 553 2447 (toll-free from within North America) > * +1 408 526 7209 (toll call from anywhere in the world) > * e-mail: [EMAIL PROTECTED] > > Please have your product serial number available and give the URL > of this notice as evidence of your entitlement to a free upgrade. Free > upgrades for non-contract customers must be requested through the TAC. > > Please do not contact either "[EMAIL PROTECTED]" or > "[EMAIL PROTECTED]" for software upgrades. > > Workarounds > > There is no workaround. > > Exploitation and Public Announcements > > This vulnerability was discovered by Cisco. RSA Security provided the > fix in a timely manner. The original RSA advisory is at > http://www.rsasecurity.com/support/bsafe/index.html > > The Cisco PSIRT is not aware of any public announcements or malicious > use of the vulnerability described in this advisory. > > Status of This Notice: FINAL > > This is a final notice. Although Cisco cannot guarantee the accuracy > of all statements in this notice, all of the facts have been checked > to the best of our ability. Cisco does not anticipate issuing updated > versions of this notice unless there is some material change in the > facts. Should there be a significant change in the facts, Cisco may > update this notice. > > Distribution > > This notice will be posted on Cisco's Worldwide Web site at > http://www.cisco.com/warp/public/707/SSL-J-pub.html. In addition to > the Worldwide Web posting, a text version of this notice is > clear-signed with the Cisco PSIRT PGP key and is posted to the > following e-mail and Usenet news recipients: > > * [EMAIL PROTECTED] > * [EMAIL PROTECTED] > * [EMAIL PROTECTED] (includes CERT/CC) > * [EMAIL PROTECTED] > * comp.dcom.sys.cisco > * [EMAIL PROTECTED] > * Various internal Cisco mailing lists > > Future updates of this notice, if any, will be placed on Cisco's > Worldwide Web server, but may or may not be actively announced on > mailing lists or newsgroups. Users concerned about this problem are > encouraged to check the URL given above for any updates. > > Revision History > > Revision 1.0 2001-September-12 08:00 GMT-0800 Initial public release > > Cisco Security Procedures > > Complete information on reporting security vulnerabilities in Cisco > products, obtaining assistance with security incidents, and > registering to receive security information from Cisco, is available > on Cisco's Worldwide Web site at > http://www.cisco.com/warp/public/707/sec_incident_response.shtml. > This includes instructions for press inquiries regarding Cisco > security notices. > > All Cisco Security Advisories are available at > http://www.cisco.com/go/psirt > _________________________________________________________________ > > This notice is Copyright 2001 by Cisco Systems, Inc. This notice may > be redistributed freely after the release date given at the top of the > text, provided that redistributed copies are complete and unmodified, > and include all date and version information. > _________________________________________________________________ > > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> > > iQEVAwUBO598Sg/VLJ+budTTAQFo5Af+N6AKkSFK6eQz2O0LJpsTFINIGP0pyGo5 > LfPjApQ8rv+nyeQU3TB+MPt0l9KgibIWiiZALmWUNwOhH434IKfplulqtvv81C/f > nQDbVVOm2r83X4BbJUlGixNXc25d7EVwKYWCoit+zhEQkGnw667n7P/ttg3WgHw2 > 9mcAX0CfluMBKRboP7a1xgyX1KCyS2/KJPr6X8rmRJ+8e7kbun9Td8nWv4Mzma1s > 8Q1klsw2Uf4a+b1D6kgi8eECqUrBcDa0wVHLUDTkLuapEYy455DaqdwTq2BCMStA > aHZqqcEOccqAL4E329d88usSPKaWrVwTalFGQS6PmQeZ4W/bAhXOJQ== > =Nkw/ > -----END PGP SIGNATURE----- > > > --__--__-- > > Message: 13 > From: "Bruce Bauer" <[EMAIL PROTECTED]> > Organization: Special Devices, Inc. > To: "rym" <[EMAIL PROTECTED]>, "firewall" <[EMAIL PROTECTED]> > Date: Wed, 12 Sep 2001 09:06:03 -0700 > Subject: Re: Creating Firewall based on linux > Reply-To: [EMAIL PROTECTED] > > This is just my opinion of course but the best OS for a > roll-your-own firewall is OpenBSD. Very easy to configure and excellent documentation. > > http://www.openbsd.org > > -*-*-*-*-*-*-*-*-*-*-*-*-*- > > All opinions are my own. > All advice is worth what you pay for it. > A little experience often upsets a lot of theory. > > -*-*-*-*-*-*-*-*-*-*-*-*-*- > > > > --__--__-- > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > > > End of Firewalls Digest _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
