Re: Firewall authentication & W2K Terminal Server

Wed, 05 Dec 2001 21:24:01 -0800 


these  nutz...

/* My Lord Tzu, the first tao of combat is
learning retreat is a weapon
Yuen Li, Archery Sifu to General Sun Tzu */



>From: "Laura A. Robinson" <[EMAIL PROTECTED]>
>Reply-To: "Laura A. Robinson" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, 
><[EMAIL PROTECTED]>
>Subject: Re: Firewall authentication & W2K Terminal Server
>Date: Wed, 5 Dec 2001 23:35:04 -0500
>
>So are *what*, and I like *what*? Are you capable of forming coherent
>sentences?
>
>Laura
>----- Original Message -----
>From: "piranha x" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
><[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
><[EMAIL PROTECTED]>
>Sent: Wednesday, December 05, 2001 11:07 PM
>Subject: Re: Firewall authentication & W2K Terminal Server
>
>
> >
> > so are these but you you like 'em..
> >
> > piranha...
> >
> > /* My Lord Tzu, the first tao of combat is
> > learning retreat is a weapon
> > Yuen Li, Archery Sifu to General Sun Tzu */
> >
> >
> >
> > >From: "Laura A. Robinson" <[EMAIL PROTECTED]>
> > >Reply-To: "Laura A. Robinson" <[EMAIL PROTECTED]>
> > >To: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>,
> > ><[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>,
><[EMAIL PROTECTED]>
> > >Subject: Re: Firewall authentication & W2K Terminal Server
> > >Date: Wed, 5 Dec 2001 03:57:33 -0500
> > >
> > >Pathetic.
> > >----- Original Message -----
> > >From: "piranha x" <[EMAIL PROTECTED]>
> > >To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
> > ><[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
><[EMAIL PROTECTED]>
> > >Sent: Wednesday, December 05, 2001 3:48 AM
> > >Subject: Re: Firewall authentication & W2K Terminal Server
> > >
> > >
> > > >
> > > > uncontrolled absurd beer fart LOL's...
> > > >
> > > > piranha...
> > > >
> > > > /* My Lord Tzu, the first tao of combat is
> > > > learning retreat is a weapon
> > > > Yuen Li, Archery Sifu to General Sun Tzu */
> > > >
> > > >
> > > >
> > > > >From: "Laura A. Robinson" <[EMAIL PROTECTED]>
> > > > >To: "piranha" <[EMAIL PROTECTED]>, "John Steniger"
> > > > ><[EMAIL PROTECTED]>, "'Andy Jonkers'" <[EMAIL PROTECTED]>,
> > >"Eric
> > > > >Samburn" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
> > > > >Subject: Re: Firewall authentication & W2K Terminal Server
> > > > >Date: Wed, 28 Nov 2001 20:15:46 -0500
> > > > >
> > > > >I guess I'd be more inclined to listen if you actually *said*
>something
> > > > >instead of dismissing out of hand. (Note that I despise MS Proxy 
>and
> > >avoid
> > > > >using it, so this isn't a matter of my being biased.)
> > > > >
> > > > >Laura
> > > > >----- Original Message -----
> > > > >From: "piranha" <[EMAIL PROTECTED]>
> > > > >To: "Laura A. Robinson" <[EMAIL PROTECTED]>; "John
>Steniger"
> > > > ><[EMAIL PROTECTED]>; "'Andy Jonkers'" <[EMAIL PROTECTED]>;
> > >"Eric
> > > > >Samburn" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
> > > > >Sent: Wednesday, November 28, 2001 8:12 PM
> > > > >Subject: Re: Firewall authentication & W2K Terminal Server
> > > > >
> > > > >
> > > > > > i repeat...lol...
> > > > > >
> > > > > > big f)(*king  lol...
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: "Laura A. Robinson" <[EMAIL PROTECTED]>
> > > > > > To: "piranha" <[EMAIL PROTECTED]>; "John Steniger"
> > > > > > <[EMAIL PROTECTED]>; "'Andy Jonkers'"
><[EMAIL PROTECTED]>;
> > > > >"Eric
> > > > > > Samburn" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
> > > > > > Sent: Wednesday, November 28, 2001 4:55 PM
> > > > > > Subject: Re: Firewall authentication & W2K Terminal Server
> > > > > >
> > > > > >
> > > > > > > Actually, I know some pretty dedicated hackers who say that a
> > >properly
> > > > > > > configured MS Proxy 2.0 box is actually much harder for them 
>to
> > >hack
> > > > >than
> > > > > > > CheckPoint, PIX, ipchains, or any other firewall.
> > > > > > >
> > > > > > > Laura
> > > > > > > ----- Original Message -----
> > > > > > > From: "piranha" <[EMAIL PROTECTED]>
> > > > > > > To: "John Steniger" <[EMAIL PROTECTED]>; "'Andy 
>Jonkers'"
> > > > > > > <[EMAIL PROTECTED]>; "Eric Samburn" 
><[EMAIL PROTECTED]>;
> > > > > > > <[EMAIL PROTECTED]>
> > > > > > > Sent: Wednesday, November 28, 2001 7:52 PM
> > > > > > > Subject: Re: Firewall authentication & W2K Terminal Server
> > > > > > >
> > > > > > >
> > > > > > > > lol
> > > > > > > > lol
> > > > > > > > lol
> > > > > > > > lol
> > > > > > > > lol
> > > > > > > >
> > > > > > > > big lol...
> > > > > > > >
> > > > > > > > piranha
> > > > > > > >
> > > > > > > >
> > > > > > > > ----- Original Message -----
> > > > > > > > From: "John Steniger" <[EMAIL PROTECTED]>
> > > > > > > > To: "'Andy Jonkers'" <[EMAIL PROTECTED]>; "Eric Samburn"
> > > > > > > > <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
> > > > > > > > Sent: Wednesday, November 28, 2001 5:32 AM
> > > > > > > > Subject: RE: Firewall authentication & W2K Terminal Server
> > > > > > > >
> > > > > > > >
> > > > > > > > > Is there any reason you are looking for a firewall and not 
>a
> > >proxy
> > > > > > > > solution?
> > > > > > > > > We have almost the same setup (NT 4.0 Terminal server).  
>We
> > >use
> > >MS
> > > > > > Proxy
> > > > > > > > > Server to authenticate to the web and log usage by user, 
>and
>a
> > > > > > > > > packet-filtering firewall for outbound and inbound packet
> > > > >filtering.
> > > > > > I
> > > > > > > > > think a proxy solution would better fix your problem in 
>this
> > >case
> > > > >(but
> > > > > > > > don't
> > > > > > > > > disregard the firewall for inbound/outbound filtering!).  
>We
> > >have
> > > > > > > > experience
> > > > > > > > > with the Microsoft solution, and it does the trick.
> > > > > > > > >
> > > > > > > > > John J. Steniger
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > > -----Original Message-----
> > > > > > > > > > From: Andy Jonkers [mailto:[EMAIL PROTECTED]]
> > > > > > > > > > Sent: Wednesday, November 28, 2001 1:53 AM
> > > > > > > > > > To: Eric Samburn; [EMAIL PROTECTED]
> > > > > > > > > > Subject: Re: Firewall authentication & W2K Terminal 
>Server
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Hey,
> > > > > > > > > >
> > > > > > > > > > What you have written explains exactly what I'm
> > >experiencing,
> > > > > > > > > > and what you
> > > > > > > > > > are suggesting is what I need. But is it possible to 
>give
>me
> > > > > > > > > > a product that
> > > > > > > > > > can do what I want.
> > > > > > > > > > Some people speak of a PIX, but as far as I'm aware of 
>my
> > > > > > > > > > problem, they will
> > > > > > > > > > experience the same kind of problems. This is because, 
>as
> > >you
> > > > >have
> > > > > > > > > > suggested, each Browser Session on  a Terminal Server is 
>a
> > > > >session
> > > > > > on
> > > > > > > > > > itself, and all data leaving the TS seems to be from 
>only
> > >one
> > > > > > > > > > user instead
> > > > > > > > > > of different users.
> > > > > > > > > > Already thanks for your answers.
> > > > > > > > > >
> > > > > > > > > > Andy
> > > > > > > > > > ----- Original Message -----
> > > > > > > > > > From: "Eric Samburn" <[EMAIL PROTECTED]>
> > > > > > > > > > To: <[EMAIL PROTECTED]>
> > > > > > > > > > Sent: Wednesday, November 28, 2001 2:37 AM
> > > > > > > > > > Subject: RE: Firewall authentication & W2K Terminal 
>Server
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > > I don't want to get into application proxy / packet
> > > > > > > > > > filtering debate,
> > > > > > > > > > > but think about it.
> > > > > > > > > > >
> > > > > > > > > > > The TS is on the internal network behind the firewall.
> > > > > > > > > > > Staff are logged into the TS and startup their 
>instance
>of
> > > > > > browser.
> > > > > > > > > > >
> > > > > > > > > > > >From the firewall's perspective, the traffic is TCP.
>The
> > > > > > > > > > data packets
> > > > > > > > > > will
> > > > > > > > > > > only provides src addr, src port, dest addr, dest 
>port.
> > >Since
> > > > >all
> > > > > > > > > > > connections are from the same TS, there is no way a
>packet
> > > > > > filtering
> > > > > > > > > > > firewall can distinguish which connection belong to
>which
> > > > >user.
> > > > > > > > > > > What you need is a http proxy. Some firewall provides 
>a
> > > > > > > > > > http proxy that
> > > > > > > > > > > support proxy "Basic Authentication" (the one 
>specified
>in
> > >the
> > > > > > http
> > > > > > > > > > > standard).
> > > > > > > > > > >
> > > > > > > > > > > That way you can control and log all web surfing 
>usage.
> > > > > > > > > > >
> > > > > > > > > > > Alternatively, you put a http proxy on the internal
> > >network,
> > > > >and
> > > > > > the
> > > > > > > > > > > firewall is configured to ONLY allow the proxy server 
>to
> > >go
> > > > >the
> > > > > > Net.
> > > > > > > > > > > And all users from the TS need to config their browser
>to
> > > > > > > > > > use the proxy
> > > > > > > > > > for
> > > > > > > > > > > web surfing.
> > > > > > > > > > >
> > > > > > > > > > > I just can't see how a packet filtering firewall can
>solve
> > > > > > > > > > this problem.
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > >From: "Kuff, Hal" <[EMAIL PROTECTED]>
> > > > > > > > > > > >To: "'Clark, Steve'" <[EMAIL PROTECTED]>,
> > > > > > > > > > "'[EMAIL PROTECTED]'"
> > > > > > > > > > > ><[EMAIL PROTECTED]>
> > > > > > > > > > > >Subject: RE: Firewall authentication & W2K Terminal
> > >Server
> > > > > > > > > > > >Date: Tue, 27 Nov 2001 19:18:54 -0500
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >     This is indeed an old and anoying issue... we
>suffer
> > > > > > > > > > as well... it's
> > > > > > > > > > > >almost impossible to identify what session on a TSE
> > > > > > > > > > machine maps into a
> > > > > > > > > > > >session on a PIX.. we're interested as well.
> > > > > > > > > > > >
> > > > > > > > > > > >-----Original Message-----
> > > > > > > > > > > >From: Andy Jonkers [mailto:[EMAIL PROTECTED]]
> > > > > > > > > > > >Sent: Tuesday, November 27, 2001 5:39 PM
> > > > > > > > > > > >To: [EMAIL PROTECTED]
> > > > > > > > > > > >Subject: Firewall authentication & W2K Terminal 
>Server
> > > > > > > > > > > >
> > > > > > > > > > > >Hey,
> > > > > > > > > > > >
> > > > > > > > > > > >I'm looking for a firewall, which can give me a
>solution
> > > > > > > > > > for the problem
> > > > > > > > > > > >I'll be describing.
> > > > > > > > > > > >
> > > > > > > > > > > >I've got a Windows 2000 Terminal Server, and the
>Terminal
> > > > > > > > > > Server clients
> > > > > > > > > > > >can
> > > > > > > > > > > >browse the Internet using their session. However, 
>they
> > >need
> > > > >to
> > > > >be
> > > > > > > > > > > >authenticated by a firewall appliance before they are
> > > > > > > > > > allowed, and their
> > > > > > > > > > > >activity needs be logged on a user basis.
> > > > > > > > > > > >
> > > > > > > > > > > >The firewall I'm using testing for the
>moment -WatchGuard
> > > > > > > > > > Firebox II-
> > > > > > > > > > > >cannot
> > > > > > > > > > > >do what I want. Once a Terminal Server user
>authenticates
> > > > > > > > > > successfully,
> > > > > > > > > > all
> > > > > > > > > > > >other are allowed. This is because my WatchGuard
> > > > > > > > > > dynamically changes the
> > > > > > > > > > > >ACLs, because of the successfull authentication, and
> > > > > > > > > > allows Internet
> > > > > > > > > > access
> > > > > > > > > > > >originated from the Terminal Server Source IP.
> > > > > > > > > > Additionally, it cannot
> > > > > > > > > > log
> > > > > > > > > > > >on a user basis, as far as my WatchGuard is concerned
>it
> > > > > > > > > > comes from the
> > > > > > > > > > > >Terminal Server.
> > > > > > > > > > > >I've also tested the Nortel Contivity Instant 
>Internet
> > > > > > > > > > Gateway, and they
> > > > > > > > > > > >have the same problem as above.
> > > > > > > > > > > >During my CheckPoint Firewall-1 training, I've asked
>the
> > > > > > > > > > same question.
> > > > > > > > > > The
> > > > > > > > > > > >Certified Instructor told me it wasn't possible on CP
> > > > > > > > > > FW-1, for the same
> > > > > > > > > > > >reasons as described above. However, I didn't have 
>the
> > > > > > > > > > opportunity to
> > > > > > > > > > test
> > > > > > > > > > > >it so far.
> > > > > > > > > > > >
> > > > > > > > > > > >Does anyone know a firewall which can perform what I
> > >want?
> > > > > > > > > > And if yes,
> > > > > > > > > > can
> > > > > > > > > > > >he or she describe how it is done? Any help is 
>welcome,
> > > > > > > > > > and I thank you
> > > > > > > > > > for
> > > > > > > > > > > >the answer(s) to my question.
> > > > > > > > > > > >
> > > > > > > > > > > >Regards,
> > > > > > > > > > > >Andy JONKERS
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > >_________________________________________________________________
> > > > > > > > > > > Get your FREE download of MSN Explorer at
> > > > > > > > > http://explorer.msn.com/intl.asp
> > > > > > > > > >
> > > > > > > > > > _______________________________________________
> > > > > > > > > > Firewalls mailing list
> > > > > > > > > > [EMAIL PROTECTED]
> > > > > > > > > > http://lists.gnac.net/mailman/listinfo/firewalls
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > > _______________________________________________
> > > > > > > > > Firewalls mailing list
> > > > > > > > > [EMAIL PROTECTED]
> > > > > > > > > http://lists.gnac.net/mailman/listinfo/firewalls
> > > > > > > > > _______________________________________________
> > > > > > > > > Firewalls mailing list
> > > > > > > > > [EMAIL PROTECTED]
> > > > > > > > > http://lists.gnac.net/mailman/listinfo/firewalls
> > > > > > > > >
> > > > > > > > _______________________________________________
> > > > > > > > Firewalls mailing list
> > > > > > > > [EMAIL PROTECTED]
> > > > > > > > http://lists.gnac.net/mailman/listinfo/firewalls
> > > > > > >
> > > > > > >
> > > > >
> > > >
> > > >
> > > > _________________________________________________________________
> > > > Get your FREE download of MSN Explorer at
> > >http://explorer.msn.com/intl.asp
> > > >
> > > > _______________________________________________
> > > > Firewalls mailing list
> > > > [EMAIL PROTECTED]
> > > > http://lists.gnac.net/mailman/listinfo/firewalls
> > >
> > >_______________________________________________
> > >Firewalls mailing list
> > >[EMAIL PROTECTED]
> > >http://lists.gnac.net/mailman/listinfo/firewalls
> >
> >
> > _________________________________________________________________
> > Get your FREE download of MSN Explorer at 
>http://explorer.msn.com/intl.asp
> >
>
>_______________________________________________
>Firewalls mailing list
>[EMAIL PROTECTED]
>http://lists.gnac.net/mailman/listinfo/firewalls


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
























					Reply via email to