-------- From academic-firewalls-owner@net.tamu.edu Mon Sep 11 09:14:28 1995 Content-Type: text/plain Mime-Version: 1.0 (NeXT Mail 3.3 v118.2) Date: Mon, 11 Sep 95 09:10:14 -0500 From: Dave Hess Reply-To: academic-firewalls@net.tamu.edu To: academic-firewalls@net.tamu.edu Subject: Survey.... After this email follows the first of what will be a few surveys that will hopefully generate some useful statistics about academic institutions. If you are a representative of an academic institution I encourage you to participate and to do so with an honest assessment of your site. Only in this way will the results be useful. Dave - --- David K. Hess Network Analyst David-K-Hess@tamu.edu Computing and Information Services - Network Group (409) 845-0372 (work) Texas A&M University -------- From academic-firewalls-owner@net.tamu.edu Mon Sep 11 10:01:40 1995 X-Mailer: Novell GroupWise 4.1 Date: Mon, 11 Sep 1995 07:57:32 -0700 From: Paul Lemman Reply-To: academic-firewalls@net.tamu.edu To: academic-firewalls@net.tamu.edu Subject: Academic Computer Network Security Survey #1 -Reply >>> Dave Hess 09/11/95 07:10am >>> Academic Computer Network Security Survey #1 ----- TOPIC: General security issues ----- Posting date: Monday, September 11, 1995 Last day for survey submission: Monday, October 2, 1995 Submit completed surveys to: survey@net.tamu.edu ----- This is the first of a series of surveys designed to collect (and subsequently redistribute) information about the state of computer network security in academic environments. Note that the survey is not restricted to academic environments; if you feel that your environment has the same characteristics then you are welcome to participate. The results of the survey will be announced within three weeks of the last day for survey submission. This survey is strictly anonymous. If you feel uncomfortable with any of the questions then do not answer those questions. If you feel uncomfortable divulging information about your site then you are encouraged to submit your survey via an anonymous remailer. If any of the free form answers are selected for inclusion in the report, they will first be "cleansed" of any references to actual institutions, departments, labs, or people. ----- INSTRUCTIONS: To fill out this survey, either delete all entries in matching brackets (brackets and all) following the question *except* the answer(s) to the question or replace the text in the brackets as indicated (i.e. any answer given will always be between brackets). Unless otherwise noted, choose only one answer for each question. Note that any other modification of the answer section may invalidate that answer. You do not need to modify the answer sections of skipped questions. In the following questions, "domain" refers to the scope represented by your answer(s) to question 1. ----- 1) Do your answers represent those of a person whose responsibilities are associated with an entire institution, individual department, lab or end user? (Put all that apply.) [ institution ] 2) Insert below the number of people within your domain that are responsible for computer security issues. [ 5000 ] 3) Rank on a scale of 1 to 5 the level of support for your computer security efforts in your domain that you receive from upper management (where 1 is very little support and 5 is excellent support). [ 4 ] 4) With regards to operating systems, is your network primarily homogeneous (one or two different operating systems) or heterogeneous (many different operating systems)? [ heterogeneous ] 5) With regards to network protocols, is your network primarily homogeneous (one or two different protocols) or heterogeneous (many different protocols)? [ heterogeneous ] 6) Does your domain have any type of physical security policy in place and/or is your domain covered by a physical security policy of a larger domain (physical meaning personal, site and property)? [ no ] 7) Does your domain have any type of computer security policy in place and/or is your domain covered by a computer security policy of a larger domain? [ yes ] If yes: 7.A) In your opinion, is this computer security policy effective in increasing the security of your domain's computer network? [ no ] 7.B) Does this policy specifically address computer _network_ security issues? [ no ] 8) Have computer network security measures (anything more strict than free peer to peer access) been implemented in your domain? [ yes ] If yes: 8.A) Rank on a scale of 1 to 5 the inconvenience of the security measures that were implemented (where 1 is very little inconvenience and 5 is extreme inconvenience). [ 2 ] 8.B) Rank on a scale of 1 to 5 the _initial_ user resistance to these security measures (where 1 is very little resistance and 5 is extreme resistance). [ 1 ] 8.C) Rank on a scale of 1 to 5 the _continuing_ user resistance to these security measures (where 1 is very little resistance and 5 is extreme resistance). [ 2 ] 8.D) Insert any other comments about implementing security measures below. (Note that any comments selected for the survey report will be "cleansed" of any references to actual institutions, departments, labs, or people.) [ ] 9) In your opinion, what do you consider to be (or what was) the biggest obstacle(s) to increasing computer network security in your domain? [ lack of staff or time to implement ] 10) Rank on a scale of 1 to 5 your concern over the possibility of civil lawsuits against your domain resulting from attacks originating in your domain (where 1 is very little concern and 5 is extreme concern). [ 5 ] 11) With what frequency do you monitor your network (i.e. check log files, audit machines, perform packet captures, etc.) for attacks from the Internet against machines within your domain? [ monthly ] If never: 11.A) With what frequency are successful attacks against machines in your domain detected after the fact? [ monthly ] Otherwise: 11.B) Based on your monitoring, with what frequency are attempts to violate the security of machines in your domain made? [ weekly ] 11.C) What percentage of those attempts are successful? [ 0% - 20% ] 12) With what frequency do you *believe* machines in your domain are being attacked (with and without your knowledge) from the Internet? [ daily ] 13) What percentage of all detected attacks originating from the Internet did you take punitive actions against? [ 0% - 20% ] If not 0%: 13.A) What percentage of these attacks were handled at a local level (i.e. administrative action and/or local police)? 13.B) What percentage of these attacks were handled at a federal level (i.e. FBI)? 14) Have you ever contacted a CERT-like security organization for any kind of assistance? [ yes ] If yes: 14.A) What percentage of the contacts resulted in a positive resolution to the problems that led you to contact them? [ 80% - 100% ] 15) Have you ever been contacted by a CERT-like security organization due to a security incident? [ no ] 16) Insert below the information sources you use to aid you in maintaining computer network security in your domain (i.e. books, newsgroups, journals, magazines, etc.). [ books, magazines, newsgroups ] 17) What is the approximate annual monetary amount spent in your domain on the following security related items (answers should be of the form $1234567 ; i.e. no commas or abbreviations should be used): 17.A) Computer security software [ ? ] 17.B) Hardware for implementing computer security [ ? ] 17.C) Personnel with computer security responsibilities [ 80000 ] 17.D) Computer security training [ 2500 ] 17.E) Attack handling and cleanup [ 1000 ] 18) Approximately how many software/hardware tools do you use to aid you in maintaining computer network security in your domain? [ 6 ] If not 0: 18.A) What percentage of the major tools you use to aid you in maintaining computer network security in your domain are commercial packages or operating system utilities versus home-grown and public domain/GNU Copyleft covered tools? [ 0% commercial - 100% other ] 18.B) Insert below the commercial packages you use to implement computer network security in your domain. [ ] 18.C) Insert below the public domain/GNU Copyleft packages you use to implement computer network security in your domain. [ tcp_wrapper, cops, swatch, resolv+,perl,iss ] -------- From academic-firewalls-owner@net.tamu.edu Mon Sep 11 10:24:55 1995 X-Sun-Charset: US-ASCII Date: Mon, 11 Sep 1995 10:20:46 -0500 From: hendefd@tech.duc.auburn.edu (Frank Henderson) Reply-To: academic-firewalls@net.tamu.edu To: academic-firewalls@net.tamu.edu Subject: Re: Academic Computer Network Security Survey #1 Should the reply-to line have been set to survey@net.tamu.edu ?? Please don't clog the list with responses to the survey thanks, # Frank Henderson | Div. of Univ. Computing # Network Services /0\ Security Administrator # X-500/Gopher Manager \_______[|(.)|]_______/ # Auburn University o ++ 0 ++ o hendefd@mail.auburn.edu -------- From academic-firewalls-owner@net.tamu.edu Mon Sep 11 10:48:06 1995 Date: Mon, 11 Sep 1995 11:44:08 -0400 From: Mike Peterson (System Admin) Reply-To: academic-firewalls@net.tamu.edu To: academic-firewalls@net.tamu.edu Subject: Re: Academic Computer Network Security Survey #1 1) Do your answers represent those of a person whose responsibilities are associated with an entire institution, individual department, lab or end user? (Put all that apply.) [ department ] 2) Insert below the number of people within your domain that are responsible for computer security issues. [ 2 ] 3) Rank on a scale of 1 to 5 the level of support for your computer security efforts in your domain that you receive from upper management (where 1 is very little support and 5 is excellent support). [ 3 ] 4) With regards to operating systems, is your network primarily homogeneous (one or two different operating systems) or heterogeneous (many different operating systems)? [ heterogeneous ] 5) With regards to network protocols, is your network primarily homogeneous (one or two different protocols) or heterogeneous (many different protocols)? [ homogeneous ] 6) Does your domain have any type of physical security policy in place and/or is your domain covered by a physical security policy of a larger domain (physical meaning personal, site and property)? [ no ] 7) Does your domain have any type of computer security policy in place and/or is your domain covered by a computer security policy of a larger domain? [ no ] If yes: 7.A) In your opinion, is this computer security policy effective in increasing the security of your domain's computer network? [ yes ] [ no ] 7.B) Does this policy specifically address computer _network_ security issues? [ yes ] [ no ] 8) Have computer network security measures (anything more strict than free peer to peer access) been implemented in your domain? [ yes ] If yes: 8.A) Rank on a scale of 1 to 5 the inconvenience of the security measures that were implemented (where 1 is very little inconvenience and 5 is extreme inconvenience). [ 2 ] 8.B) Rank on a scale of 1 to 5 the _initial_ user resistance to these security measures (where 1 is very little resistance and 5 is extreme resistance). [ 1 ] 8.C) Rank on a scale of 1 to 5 the _continuing_ user resistance to these security measures (where 1 is very little resistance and 5 is extreme resistance). [ 1 ] 8.D) Insert any other comments about implementing security measures below. (Note that any comments selected for the survey report will be "cleansed" of any references to actual institutions, departments, labs, or people.) [ NFS access is allowed between systems if UIDs/GIDs are set correctly, and a sysadmin exists to ensure local security issues are acted up; rlogin with no password is allowed if a reasonably competent sysadmin exists] 9) In your opinion, what do you consider to be (or what was) the biggest obstacle(s) to increasing computer network security in your domain? [ Heterogeneous systems which require recompilation of packages, different names/locations of system configuration files, different implementations of things like shadow password files from each vendor] 10) Rank on a scale of 1 to 5 your concern over the possibility of civil lawsuits against your domain resulting from attacks originating in your domain (where 1 is very little concern and 5 is extreme concern). [ 1 ] 11) With what frequency do you monitor your network (i.e. check log files, audit machines, perform packet captures, etc.) for attacks from the Internet against machines within your domain? [ daily ] If never: 11.A) With what frequency are successful attacks against machines in your domain detected after the fact? [ hourly ] [ daily ] [ weekly ] [ monthly ] [ yearly ] [ never ] Otherwise: 11.B) Based on your monitoring, with what frequency are attempts to violate the security of machines in your domain made? [ weekly ] 11.C) What percentage of those attempts are successful? [ 0% - 20% ] 12) With what frequency do you *believe* machines in your domain are being attacked (with and without your knowledge) from the Internet? [ weekly ] 13) What percentage of all detected attacks originating from the Internet did you take punitive actions against? [ 0% - 20% ] If not 0%: 13.A) What percentage of these attacks were handled at a local level (i.e. administrative action and/or local police)? [ 0% - 20% ] 13.B) What percentage of these attacks were handled at a federal level (i.e. FBI)? [ 0% - 20% ] 14) Have you ever contacted a CERT-like security organization for any kind of assistance? [ yes ] If yes: 14.A) What percentage of the contacts resulted in a positive resolution to the problems that led you to contact them? [ 80% - 100% ] 15) Have you ever been contacted by a CERT-like security organization due to a security incident? [ no ] 16) Insert below the information sources you use to aid you in maintaining computer network security in your domain (i.e. books, newsgroups, journals, magazines, etc.). [ Internet "USENET" security and vendor news groups; mailing lists for topics like "firewalls" and vendor-specific security issues ] 17) What is the approximate annual monetary amount spent in your domain on the following security related items (answers should be of the form $1234567 ; i.e. no commas or abbreviations should be used): 17.A) Computer security software [ $0 ] 17.B) Hardware for implementing computer security [ $0 ] 17.C) Personnel with computer security responsibilities [ $0 ] 17.D) Computer security training [ $0 ] 17.E) Attack handling and cleanup [ $0 ] 18) Approximately how many software/hardware tools do you use to aid you in maintaining computer network security in your domain? [ 4 ] If not 0: 18.A) What percentage of the major tools you use to aid you in maintaining computer network security in your domain are commercial packages or operating system utilities versus home-grown and public domain/GNU Copyleft covered tools? [ 0% commercial - 100% other ] 18.B) Insert below the commercial packages you use to implement computer network security in your domain. [ please replace this text with your commercial tools ] 18.C) Insert below the public domain/GNU Copyleft packages you use to implement computer network security in your domain. [ npasswd; portions of Crack, COPS, SATAN; home-grown security sweep package ] -------- From academic-firewalls-owner@net.tamu.edu Mon Sep 11 11:09:22 1995 Content-Type: text/plain Mime-Version: 1.0 (NeXT Mail 3.3 v118.2) Date: Mon, 11 Sep 95 09:10:26 -0500 From: Dave Hess Reply-To: academic-firewalls@net.tamu.edu To: academic-firewalls@net.tamu.edu Subject: Academic Computer Network Security Survey #1 Academic Computer Network Security Survey #1 ----- TOPIC: General security issues ----- Posting date: Monday, September 11, 1995 Last day for survey submission: Monday, October 2, 1995 Submit completed surveys to: survey@net.tamu.edu ----- This is the first of a series of surveys designed to collect (and subsequently redistribute) information about the state of computer network security in academic environments. Note that the survey is not restricted to academic environments; if you feel that your environment has the same characteristics then you are welcome to participate. The results of the survey will be announced within three weeks of the last day for survey submission. This survey is strictly anonymous. If you feel uncomfortable with any of the questions then do not answer those questions. If you feel uncomfortable divulging information about your site then you are encouraged to submit your survey via an anonymous remailer. If any of the free form answers are selected for inclusion in the report, they will first be "cleansed" of any references to actual institutions, departments, labs, or people. ----- INSTRUCTIONS: To fill out this survey, either delete all entries in matching brackets (brackets and all) following the question *except* the answer(s) to the question or replace the text in the brackets as indicated (i.e. any answer given will always be between brackets). Unless otherwise noted, choose only one answer for each question. Note that any other modification of the answer section may invalidate that answer. You do not need to modify the answer sections of skipped questions. In the following questions, "domain" refers to the scope represented by your answer(s) to question 1. ----- 1) Do your answers represent those of a person whose responsibilities are associated with an entire institution, individual department, lab or end user? (Put all that apply.) [ institution ] [ department ] [ lab ] [ user ] 2) Insert below the number of people within your domain that are responsible for computer security issues. [ please replace this text with the number of people ] 3) Rank on a scale of 1 to 5 the level of support for your computer security efforts in your domain that you receive from upper management (where 1 is very little support and 5 is excellent support). [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] 4) With regards to operating systems, is your network primarily homogeneous (one or two different operating systems) or heterogeneous (many different operating systems)? [ homogeneous ] [ heterogeneous ] 5) With regards to network protocols, is your network primarily homogeneous (one or two different protocols) or heterogeneous (many different protocols)? [ homogeneous ] [ heterogeneous ] 6) Does your domain have any type of physical security policy in place and/or is your domain covered by a physical security policy of a larger domain (physical meaning personal, site and property)? [ yes ] [ no ] 7) Does your domain have any type of computer security policy in place and/or is your domain covered by a computer security policy of a larger domain? [ yes ] [ no ] If yes: 7.A) In your opinion, is this computer security policy effective in increasing the security of your domain's computer network? [ yes ] [ no ] 7.B) Does this policy specifically address computer _network_ security issues? [ yes ] [ no ] 8) Have computer network security measures (anything more strict than free peer to peer access) been implemented in your domain? [ yes ] [ no ] If yes: 8.A) Rank on a scale of 1 to 5 the inconvenience of the security measures that were implemented (where 1 is very little inconvenience and 5 is extreme inconvenience). [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] 8.B) Rank on a scale of 1 to 5 the _initial_ user resistance to these security measures (where 1 is very little resistance and 5 is extreme resistance). [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] 8.C) Rank on a scale of 1 to 5 the _continuing_ user resistance to these security measures (where 1 is very little resistance and 5 is extreme resistance). [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] 8.D) Insert any other comments about implementing security measures below. (Note that any comments selected for the survey report will be "cleansed" of any references to actual institutions, departments, labs, or people.) [ please replace this text with your comments ] 9) In your opinion, what do you consider to be (or what was) the biggest obstacle(s) to increasing computer network security in your domain? [ please replace this text with your obstacle(s) ] 10) Rank on a scale of 1 to 5 your concern over the possibility of civil lawsuits against your domain resulting from attacks originating in your domain (where 1 is very little concern and 5 is extreme concern). [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] 11) With what frequency do you monitor your network (i.e. check log files, audit machines, perform packet captures, etc.) for attacks from the Internet against machines within your domain? [ hourly ] [ daily ] [ weekly ] [ monthly ] [ yearly ] [ never ] If never: 11.A) With what frequency are successful attacks against machines in your domain detected after the fact? [ hourly ] [ daily ] [ weekly ] [ monthly ] [ yearly ] [ never ] Otherwise: 11.B) Based on your monitoring, with what frequency are attempts to violate the security of machines in your domain made? [ hourly ] [ daily ] [ weekly ] [ monthly ] [ yearly ] [ never ] 11.C) What percentage of those attempts are successful? [ 0% - 20% ] [ 20% - 40% ] [ 40% - 60% ] [ 60% - 80% ] [ 80% - 100% ] 12) With what frequency do you *believe* machines in your domain are being attacked (with and without your knowledge) from the Internet? [ hourly ] [ daily ] [ weekly ] [ monthly ] [ yearly ] [ never ] 13) What percentage of all detected attacks originating from the Internet did you take punitive actions against? [ 0% - 20% ] [ 20% - 40% ] [ 40% - 60% ] [ 60% - 80% ] [ 80% - 100% ] If not 0%: 13.A) What percentage of these attacks were handled at a local level (i.e. administrative action and/or local police)? [ 0% - 20% ] [ 20% - 40% ] [ 40% - 60% ] [ 60% - 80% ] [ 80% - 100% ] 13.B) What percentage of these attacks were handled at a federal level (i.e. FBI)? [ 0% - 20% ] [ 20% - 40% ] [ 40% - 60% ] [ 60% - 80% ] [ 80% - 100% ] 14) Have you ever contacted a CERT-like security organization for any kind of assistance? [ yes ] [ no ] If yes: 14.A) What percentage of the contacts resulted in a positive resolution to the problems that led you to contact them? [ 0% - 20% ] [ 20% - 40% ] [ 40% - 60% ] [ 60% - 80% ] [ 80% - 100% ] 15) Have you ever been contacted by a CERT-like security organization due to a security incident? [ yes ] [ no ] 16) Insert below the information sources you use to aid you in maintaining computer network security in your domain (i.e. books, newsgroups, journals, magazines, etc.). [ please replace this text with your sources ] 17) What is the approximate annual monetary amount spent in your domain on the following security related items (answers should be of the form $1234567 ; i.e. no commas or abbreviations should be used): 17.A) Computer security software [ please replace this text with a dollar amount ] 17.B) Hardware for implementing computer security [ please replace this text with a dollar amount ] 17.C) Personnel with computer security responsibilities [ please replace this text with a dollar amount ] 17.D) Computer security training [ please replace this text with a dollar amount ] 17.E) Attack handling and cleanup [ please replace this text with a dollar amount ] 18) Approximately how many software/hardware tools do you use to aid you in maintaining computer network security in your domain? [ please replace this text with the number of tools ] If not 0: 18.A) What percentage of the major tools you use to aid you in maintaining computer network security in your domain are commercial packages or operating system utilities versus home-grown and public domain/GNU Copyleft covered tools? [ 0% commercial - 100% other ] [ 25% commercial - 75% other ] [ 50% commercial - 50% other ] [ 75% commercial - 25% other ] [ 100% commercial - 0% other ] 18.B) Insert below the commercial packages you use to implement computer network security in your domain. [ please replace this text with your commercial tools ] 18.C) Insert below the public domain/GNU Copyleft packages you use to implement computer network security in your domain. [ please replace this text with your public domain/GNU Copyleft tools ] -------- From academic-firewalls-owner@net.tamu.edu Mon Sep 11 11:29:20 1995 Content-Type: text/plain Mime-Version: 1.0 (NeXT Mail 3.3 v118.2) Date: Mon, 11 Sep 95 11:25:35 -0500 From: Dave Hess Reply-To: academic-firewalls@net.tamu.edu To: academic-firewalls@net.tamu.edu Subject: Return surveys to survey@net.tamu.edu please! Please do not forward any filled out surveys back to the list! You have to be careful because the reply-to line in the post defaults to the list. Only send them to me at survey@net.tamu.edu. Thanks. Dave - --- David K. Hess Network Analyst David-K-Hess@tamu.edu Computing and Information Services - Network Group (409) 845-0372 (work) Texas A&M University -------- From academic-firewalls-owner@net.tamu.edu Mon Sep 11 12:55:15 1995 Cc: academic-firewalls@net.tamu.edu In-Reply-To: (message from Paul Lemman on Mon, 11 Sep 1995 07:57:32 -0700) Date: Mon, 11 Sep 95 13:46:45 EDT From: peters@swi.com (Mark Peters) Reply-To: academic-firewalls@net.tamu.edu To: academic-firewalls@net.tamu.edu Subject: Re: Academic Computer Network Security Survey #1 -Reply In the following questions, "domain" refers to the scope represented by your answer(s) to question 1. ----- 1) Do your answers represent those of a person whose responsibilities are associated with an entire institution, individual department, lab or end user? (Put all that apply.) [ institution ] 2) Insert below the number of people within your domain that are responsible for computer security issues. [ 3 ] 3) Rank on a scale of 1 to 5 the level of support for your computer security efforts in your domain that you receive from upper management (where 1 is very little support and 5 is excellent support). [ 3 ] 4) With regards to operating systems, is your network primarily homogeneous (one or two different operating systems) or heterogeneous (many different operating systems)? [ homogeneous ] 5) With regards to network protocols, is your network primarily homogeneous (one or two different protocols) or heterogeneous (many different protocols)? [ homogeneous ] 6) Does your domain have any type of physical security policy in place and/or is your domain covered by a physical security policy of a larger domain (physical meaning personal, site and property)? [ yes ] 7) Does your domain have any type of computer security policy in place and/or is your domain covered by a computer security policy of a larger domain? [ no ] If yes: 7.A) In your opinion, is this computer security policy effective in increasing the security of your domain's computer network? [ no ] 7.B) Does this policy specifically address computer _network_ security issues? [ no ] 8) Have computer network security measures (anything more strict than free peer to peer access) been implemented in your domain? [ yes ] If yes: 8.A) Rank on a scale of 1 to 5 the inconvenience of the security measures that were implemented (where 1 is very little inconvenience and 5 is extreme inconvenience). [ 1 ] 8.B) Rank on a scale of 1 to 5 the _initial_ user resistance to these security measures (where 1 is very little resistance and 5 is extreme resistance). [ 1 ] 8.C) Rank on a scale of 1 to 5 the _continuing_ user resistance to these security measures (where 1 is very little resistance and 5 is extreme resistance). [ 1 ] 8.D) Insert any other comments about implementing security measures below. (Note that any comments selected for the survey report will be "cleansed" of any references to actual institutions, departments, labs, or people.) [ ] 9) In your opinion, what do you consider to be (or what was) the biggest obstacle(s) to increasing computer network security in your domain? [ lack of staff or time to implement ] 10) Rank on a scale of 1 to 5 your concern over the possibility of civil lawsuits against your domain resulting from attacks originating in your domain (where 1 is very little concern and 5 is extreme concern). [ 1 ] 11) With what frequency do you monitor your network (i.e. check log files, audit machines, perform packet captures, etc.) for attacks from the Internet against machines within your domain? [ daily ] If never: 11.A) With what frequency are successful attacks against machines in your domain detected after the fact? [ monthly ] Otherwise: 11.B) Based on your monitoring, with what frequency are attempts to violate the security of machines in your domain made? [ weekly ] 11.C) What percentage of those attempts are successful? [ 0% ] 12) With what frequency do you *believe* machines in your domain are being attacked (with and without your knowledge) from the Internet? [ weekly ] 13) What percentage of all detected attacks originating from the Internet did you take punitive actions against? [ 0% ] If not 0%: 13.A) What percentage of these attacks were handled at a local level (i.e. administrative action and/or local police)? 13.B) What percentage of these attacks were handled at a federal level (i.e. FBI)? 14) Have you ever contacted a CERT-like security organization for any kind of assistance? [ no ] If yes: 14.A) What percentage of the contacts resulted in a positive resolution to the problems that led you to contact them? [ 80% - 100% ] 15) Have you ever been contacted by a CERT-like security organization due to a security incident? [ no ] 16) Insert below the information sources you use to aid you in maintaining computer network security in your domain (i.e. books, newsgroups, journals, magazines, etc.). [ books, magazines, newsgroups ] 17) What is the approximate annual monetary amount spent in your domain on the following security related items (answers should be of the form $1234567 ; i.e. no commas or abbreviations should be used): 17.A) Computer security software [ $0 ] 17.B) Hardware for implementing computer security [ $3000 ] 17.C) Personnel with computer security responsibilities [ $0 ] 17.D) Computer security training [ $0 ] 17.E) Attack handling and cleanup [ $0 ] 18) Approximately how many software/hardware tools do you use to aid you in maintaining computer network security in your domain? [ 4 ] If not 0: 18.A) What percentage of the major tools you use to aid you in maintaining computer network security in your domain are commercial packages or operating system utilities versus home-grown and public domain/GNU Copyleft covered tools? [ 0% commercial - 100% other ] 18.B) Insert below the commercial packages you use to implement computer network security in your domain. [ ] 18.C) Insert below the public domain/GNU Copyleft packages you use to implement computer network security in your domain. [ tcp_wrapper, cops, tiger, drawbridge, perl ] -------- From academic-firewalls-owner@net.tamu.edu Mon Sep 11 16:34:47 1995 X-Authentication-Warning: sis-lab1.massey.ac.nz: Host localhost didn't use HELO In-reply-to: Your message of "Mon, 11 Sep 1995 09:10:26 EST." <9509111410.AA15073@posaune.tamu.edu> Date: Tue, 12 Sep 1995 09:29:24 +1200 From: Philip Plane Reply-To: academic-firewalls@net.tamu.edu To: academic-firewalls@net.tamu.edu Subject: Re: Academic Computer Network Security Survey #1 > > 1) Do your answers represent those of a person whose responsibilities > are associated with an entire institution, individual department, > lab or end user? (Put all that apply.) > > [ department ] > > 2) Insert below the number of people within your domain that are > responsible for computer security issues. > > [ 3 ] > > 3) Rank on a scale of 1 to 5 the level of support for your computer > security efforts in your domain that you receive from upper > management (where 1 is very little support and 5 is excellent > support). > > [ 2 ] > > 4) With regards to operating systems, is your network primarily > homogeneous (one or two different operating systems) or > heterogeneous (many different operating systems)? > > [ heterogeneous ] > > 5) With regards to network protocols, is your network primarily > homogeneous (one or two different protocols) or heterogeneous > (many different protocols)? > > [ heterogeneous ] > > 6) Does your domain have any type of physical security policy in > place and/or is your domain covered by a physical security > policy of a larger domain (physical meaning personal, > site and property)? > > [ yes ] > > 7) Does your domain have any type of computer security policy in > place and/or is your domain covered by a computer security > policy of a larger domain? > > [ no ] > > If yes: > > 7.A) In your opinion, is this computer security policy > effective in increasing the security of your domain's > computer network? > > [ yes ] > [ no ] > > 7.B) Does this policy specifically address computer _network_ > security issues? > > [ yes ] > [ no ] > > 8) Have computer network security measures (anything more strict > than free peer to peer access) been implemented in your > domain? > > [ yes ] > > If yes: > > 8.A) Rank on a scale of 1 to 5 the inconvenience of > the security measures that were implemented (where > 1 is very little inconvenience and 5 is extreme > inconvenience). > > [ 2 ] > > 8.B) Rank on a scale of 1 to 5 the _initial_ user resistance > to these security measures (where 1 is very little > resistance and 5 is extreme resistance). > > [ 2 ] > > 8.C) Rank on a scale of 1 to 5 the _continuing_ user resistance > to these security measures (where 1 is very little > resistance and 5 is extreme resistance). > > [ 1 ] > > 8.D) Insert any other comments about implementing security > measures below. (Note that any comments selected > for the survey report will be "cleansed" of any > references to actual institutions, departments, > labs, or people.) > > [ Most security measures rely on the ignorance of users. If we don't tell them how to do something, they won't know how to cause problems. ] > > 9) In your opinion, what do you consider to be (or what was) the > biggest obstacle(s) to increasing computer network security > in your domain? > > [ Security is not seen as a problem by people who are in a position to authorise spending of resources. ] > > 10) Rank on a scale of 1 to 5 your concern over the possibility of civil > lawsuits against your domain resulting from attacks originating > in your domain (where 1 is very little concern and 5 is extreme > concern). > > [ 1 ] > > 11) With what frequency do you monitor your network (i.e. check log > files, audit machines, perform packet captures, etc.) for > attacks from the Internet against machines within your domain? > > [ weekly ] > > If never: > > 11.A) With what frequency are successful attacks against > machines in your domain detected after the fact? > > [ hourly ] > [ daily ] > [ weekly ] > [ monthly ] > [ yearly ] > [ never ] > > Otherwise: > > 11.B) Based on your monitoring, with what frequency are attempts > to violate the security of machines in your domain > made? > > [ yearly ] > > 11.C) What percentage of those attempts are successful? > > [ 80% - 100% ] > > 12) With what frequency do you *believe* machines in your domain > are being attacked (with and without your knowledge) from > the Internet? > > [ never ] > > 13) What percentage of all detected attacks originating from the > Internet did you take punitive actions against? > > [ 0% - 20% ] > > If not 0%: > > 13.A) What percentage of these attacks were handled > at a local level (i.e. administrative action and/or > local police)? > > [ 0% - 20% ] > [ 20% - 40% ] > [ 40% - 60% ] > [ 60% - 80% ] > [ 80% - 100% ] > > 13.B) What percentage of these attacks were handled > at a federal level (i.e. FBI)? > > [ 0% - 20% ] > [ 20% - 40% ] > [ 40% - 60% ] > [ 60% - 80% ] > [ 80% - 100% ] > > 14) Have you ever contacted a CERT-like security organization for > any kind of assistance? > > [ no ] > > If yes: > > 14.A) What percentage of the contacts resulted in a positive > resolution to the problems that led you to contact > them? > > [ 0% - 20% ] > [ 20% - 40% ] > [ 40% - 60% ] > [ 60% - 80% ] > [ 80% - 100% ] > > 15) Have you ever been contacted by a CERT-like security organization > due to a security incident? > > [ no ] > > 16) Insert below the information sources you use to aid you in > maintaining computer network security in your domain (i.e. > books, newsgroups, journals, magazines, etc.). > > [ comp.security.unix, CERT mailing list, various papers from the net. ] > > 17) What is the approximate annual monetary amount spent in your domain > on the following security related items (answers should be of > the form $1234567 ; i.e. no commas or abbreviations should be > used): > > 17.A) Computer security software > > [ $1000 ] > > 17.B) Hardware for implementing computer security > > [ $0 ] > > 17.C) Personnel with computer security responsibilities > > [ $10000 ] > > 17.D) Computer security training > > [ $2000 ] > > 17.E) Attack handling and cleanup > > [ $500 ] > > 18) Approximately how many software/hardware tools do you use to aid > you in maintaining computer network security in your domain? > > [ 10 ] > > If not 0: > > 18.A) What percentage of the major tools you use to aid you in > maintaining computer network security in your domain > are commercial packages or operating system utilities > versus home-grown and public domain/GNU Copyleft > covered tools? > > [ 50% commercial - 50% other ] > > > 18.B) Insert below the commercial packages you > use to implement computer network security in your > domain. > > [ snoop (Solaris 2.4), Appmeter (Netware), VirusScan (MS-DOS) ] > > 18.C) Insert below the public domain/GNU Copyleft > packages you use to implement computer network security > in your domain. > > [ satan, iss, disinfectant (Macintosh), ] > -------- From academic-firewalls-owner@net.tamu.edu Tue Sep 12 06:13:56 1995 In-Reply-To: Your message of "11 Sep 95 11:44:08 EDT." X-Mts: smtp Date: Tue, 12 Sep 95 12:09:22 +0100 From: "David O'Byrne" Reply-To: academic-firewalls@net.tamu.edu To: academic-firewalls@net.tamu.edu Subject: Re: Academic Computer Network Security Survey #1 > > 1) Do your answers represent those of a person whose responsibilities > are associated with an entire institution, individual department, > lab or end user? (Put all that apply.) > > [ department ] > > 2) Insert below the number of people within your domain that are > responsible for computer security issues. > > [ 2 ] > > 3) Rank on a scale of 1 to 5 the level of support for your computer > security efforts in your domain that you receive from upper > management (where 1 is very little support and 5 is excellent > support). > > [ 3 ] > > 4) With regards to operating systems, is your network primarily > homogeneous (one or two different operating systems) or > heterogeneous (many different operating systems)? > > [ heterogeneous ] > > 5) With regards to network protocols, is your network primarily > homogeneous (one or two different protocols) or heterogeneous > (many different protocols)? > > [ homogeneous ] > > 6) Does your domain have any type of physical security policy in > place and/or is your domain covered by a physical security > policy of a larger domain (physical meaning personal, > site and property)? > > [ no ] > > 7) Does your domain have any type of computer security policy in > place and/or is your domain covered by a computer security > policy of a larger domain? > > [ no ] > > If yes: > > 7.A) In your opinion, is this computer security policy > effective in increasing the security of your domain's > computer network? > > [ yes ] > [ no ] > > 7.B) Does this policy specifically address computer _network_ > security issues? > > [ yes ] > [ no ] > > 8) Have computer network security measures (anything more strict > than free peer to peer access) been implemented in your > domain? > > [ yes ] > > If yes: > > 8.A) Rank on a scale of 1 to 5 the inconvenience of > the security measures that were implemented (where > 1 is very little inconvenience and 5 is extreme > inconvenience). > > [ 2 ] > > 8.B) Rank on a scale of 1 to 5 the _initial_ user resistance > to these security measures (where 1 is very little > resistance and 5 is extreme resistance). > > [ 1 ] > > 8.C) Rank on a scale of 1 to 5 the _continuing_ user resistance > to these security measures (where 1 is very little > resistance and 5 is extreme resistance). > > [ 1 ] > > 8.D) Insert any other comments about implementing security > measures below. (Note that any comments selected > for the survey report will be "cleansed" of any > references to actual institutions, departments, > labs, or people.) > > [ NFS access is allowed between systems if UIDs/GIDs > are set correctly, and a sysadmin exists to ensure > local security issues are acted up; rlogin with no > password is allowed if a reasonably competent > sysadmin exists] > > 9) In your opinion, what do you consider to be (or what was) the > biggest obstacle(s) to increasing computer network security > in your domain? > > [ Heterogeneous systems which require recompilation of > packages, different names/locations of system configuration > files, different implementations of things like shadow > password files from each vendor] > > 10) Rank on a scale of 1 to 5 your concern over the possibility of civil > lawsuits against your domain resulting from attacks originating > in your domain (where 1 is very little concern and 5 is extreme > concern). > > [ 3 ] > > 11) With what frequency do you monitor your network (i.e. check log > files, audit machines, perform packet captures, etc.) for > attacks from the Internet against machines within your domain? > > [ daily ] > > If never: > > 11.A) With what frequency are successful attacks against > machines in your domain detected after the fact? > > [ hourly ] > [ daily ] > [ weekly ] > [ monthly ] > [ yearly ] > [ never ] > > Otherwise: > > 11.B) Based on your monitoring, with what frequency are attempts > to violate the security of machines in your domain > made? > > [ weekly ] > > 11.C) What percentage of those attempts are successful? > > [ 0% - 2% ] > > 12) With what frequency do you *believe* machines in your domain > are being attacked (with and without your knowledge) from > the Internet? > > [ weekly ] > > 13) What percentage of all detected attacks originating from the > Internet did you take punitive actions against? > > [ 90% - 100% ] > > If not 0%: > > 13.A) What percentage of these attacks were handled > at a local level (i.e. administrative action and/or > local police)? > > [ 100% ] > > 13.B) What percentage of these attacks were handled > at a federal level (i.e. FBI)? > > [ 0% - 20% ] > > 14) Have you ever contacted a CERT-like security organization for > any kind of assistance? > > [ no ] > > If yes: > > 14.A) What percentage of the contacts resulted in a positive > resolution to the problems that led you to contact > them? > > [ 80% - 100% ] > > 15) Have you ever been contacted by a CERT-like security organization > due to a security incident? > > [ yes ] > > 16) Insert below the information sources you use to aid you in > maintaining computer network security in your domain (i.e. > books, newsgroups, journals, magazines, etc.). > > [ Internet "USENET" security and vendor news groups; > mailing lists for topics like "firewalls" and vendor-specific > security issues, books, magazines ] > > 17) What is the approximate annual monetary amount spent in your domain > on the following security related items (answers should be of > the form $1234567 ; i.e. no commas or abbreviations should be > used): > > 17.A) Computer security software > > [ $1000 ] > > 17.B) Hardware for implementing computer security > > [ $10000 ] > > 17.C) Personnel with computer security responsibilities > > [ $5000 ] > > 17.D) Computer security training > > [ $0 ] > > 17.E) Attack handling and cleanup > > [ $0 ] > > 18) Approximately how many software/hardware tools do you use to aid > you in maintaining computer network security in your domain? > > [ 40 ] > > If not 0: > > 18.A) What percentage of the major tools you use to aid you in > maintaining computer network security in your domain > are commercial packages or operating system utilities > versus home-grown and public domain/GNU Copyleft > covered tools? > > [ 0% commercial - 100% other ] > > > 18.B) Insert below the commercial packages you > use to implement computer network security in your > domain. > > [ please replace this text with your > commercial tools ] > > 18.C) Insert below the public domain/GNU Copyleft > packages you use to implement computer network security > in your domain. > > [ npasswd; portions of Crack, COPS, SATAN; > home-grown security sweep package, tripwire, xinetd, tcp wrapper, login controllers, drawbridge, etc ... ] > > - ---------------------------------- David O'Byrne dave@odyssey.ucc.ie -------- From academic-firewalls-owner@net.tamu.edu Wed Sep 13 08:07:56 1995 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 13 Sep 1995 08:03:43 -0500 From: fmartin@killerbee.jsc.nasa.gov (Frank E. Martin) Reply-To: academic-firewalls@net.tamu.edu To: academic-firewalls@net.tamu.edu Subject: Re: Time for some CPR... - -----BEGIN PGP SIGNED MESSAGE----- David, >Since there are over 700 subscriptions to this list, it seems to me >that everybody wants to read about security in academic >institutions but nobody wants to talk about theirs (for whatever >reason). I'm one of the many lurkers on this list. I joined the list hoping to get information and illustrations that would assist me in convincing the scientists at our NASA Center that academicians are aware of network threats and are using firewalls to protect information in their computers. Too often I hear our scientists and engineers argue that firewalls shouldn't be used because they would compromise the ability for collaboration with the academic community. Frank ============================================================================== Frank E. Martin, Ph.D. JSC Deputy Center Computer Security Manager NASA Johnson Space Center, Houston (713) 483-6237 email: frank.e.martin1@jsc.nasa.gov PGP public key available at pgp-public-keys@pgp.mit.edu - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMFbWVJOaEPPW2Y2lAQGuQgQAldy7OOVTEq+xfqia+tLpLAnAprxfPBq8 dDqo1A/ZWe8gHMujHUI6a37T/H5gq/vmMVmtaPddEq7IEEHkEUCKRrthgNaWF/YT SYxFS6ljZPSdSN7adxcCrpZt8/NMfjiWb/HDEutfuxYZ9BO61bNDQW4o8lowUyTY /Eitz+HTwiE= =Na0a - -----END PGP SIGNATURE----- -------- From academic-firewalls-owner@net.tamu.edu Wed Sep 13 08:29:08 1995 In-Reply-To: Date: Wed, 13 Sep 1995 08:25:16 -0500 From: Doug Hughes Reply-To: academic-firewalls@net.tamu.edu To: academic-firewalls@net.tamu.edu Subject: Re: Time for some CPR... >-----BEGIN PGP SIGNED MESSAGE----- > >David, > >>Since there are over 700 subscriptions to this list, it seems to me >>that everybody wants to read about security in academic >>institutions but nobody wants to talk about theirs (for whatever >>reason). > >I'm one of the many lurkers on this list. I joined the list hoping to get >information and illustrations that would assist me in convincing the >scientists at our NASA Center that academicians are aware of network >threats and are using firewalls to protect information in their computers. >Too often I hear our scientists and engineers argue that firewalls >shouldn't be used because they would compromise the ability for >collaboration with the academic community. > >Frank > >============================================================================== >Frank E. Martin, Ph.D. >JSC Deputy Center Computer Security Manager >NASA Johnson Space Center, Houston (713) 483-6237 >email: frank.e.martin1@jsc.nasa.gov >PGP public key available at pgp-public-keys@pgp.mit.edu > > I hope you told them that that's completely absurd! :) We use tcp-wrappers, a lot of logging, port-traps for detection of satan, ISS, and other port-scanners, pseudo-smart log parsing programs, lots of security patches, and a choke to force all remote logins through too machines (from the outside->in). I personally want to stick stel on our two gateway machines as soon as it is available. This represents security with almost no compromise in ease of use, for me. The reason the choke works is that all the internal machines refuse telnet, rlogin, rsh, etc (stuff out of inetd) via tcp-wrappers. Also, our Cisco routers have filters that prevent probes on port 111 (sunRPC), 2049 (NFS), source routing, and IP spoofing. The cisco measures protect the entire university, the previous paragraph is an Engineering only implementation. The most useful tool I find is a little tcl/tk program I put together that watches the log files and displays interesting events in real time in multiple colors, and de-iconizes and jumps to the front on user-defined (me being user) alarm conditions. - -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Apple T-shirt on Win95 - "Been there, done that" -------- From academic-firewalls-owner@net.tamu.edu Wed Sep 13 09:11:57 1995 Date: Wed, 13 Sep 1995 15:08:05 +0100 (BST) From: Neil Reply-To: academic-firewalls@net.tamu.edu To: academic-firewalls@net.tamu.edu Subject: Re: Time for some CPR... > David, > >Since there are over 700 subscriptions to this list, it seems to me > >that everybody wants to read about security in academic > >institutions but nobody wants to talk about theirs (for whatever > >reason). > I'm one of the many lurkers on this list. I joined the list hoping to get Likewise;-) Currently trying to press for changes here to get rid of an awful Trusted Solaris sun-based thing that runs a 2 xterm X-Windows interface :-) Completely untransparent, only works for text and requires the use of an X-Server on each PC behind the host. Daft. Just generally lurking in case anything of use comes around. Cheers, Neil - ---------------------------------------------------------------------------- - - Neil A Carson, Computing/Information Services / Languages Unit / Student - - - The Royal Military College of Science, Shrivenham - - - - - - E-mail: carson@rmcs.cranfield.ac.uk <= use this one - - - neil@samtech.demon.co.uk, neil@g7kqy.ampr.org - - - finger carson@gw.rmcs.cranfield.ac.uk for more info - - ---------------------------------------------------------------------------- -------- From academic-firewalls-owner@net.tamu.edu Wed Sep 13 10:23:36 1995 Content-Type: text/plain Mime-Version: 1.0 (NeXT Mail 3.3 v118.2) References: <950913150805.6868@rmcs.cranfield.ac.uk> Date: Wed, 13 Sep 95 10:19:52 -0500 From: Dave Hess Reply-To: academic-firewalls@net.tamu.edu To: academic-firewalls@net.tamu.edu Subject: Re: Time for some CPR... [ couple of posts about lurking ] I know this is obvious and sounds preachy but when everybody lurks there is no one left to post. I'm hoping that I will get a good response to the survey (24 so far) and that the discussion of the results will get more lurkers to "come out of the closet" so to speak. :-) By the way, I think one of the best means to help you promote network security is to first of all assess what kind of traffic (and possibly attacks) are coming in from the Internet to your network. Use things like netlog to characterize your traffic and to discover any ongoing attacks that you don't know about. This can be a truly eye-opening experience. Dave - --- David K. Hess Network Analyst David-K-Hess@tamu.edu Computing and Information Services - Network Group (409) 845-0372 (work) Texas A&M University -------- From academic-firewalls-owner@net.tamu.edu Thu Sep 14 08:14:56 1995 X-Sender: csbarli@rs6000.cmp.ilstu.edu X-Mailer: Windows Eudora Version 1.4.3b4 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 14 Sep 1995 08:11:03 -0500 From: csbarli@rs6000.cmp.ilstu.edu (Connie Barling) Reply-To: academic-firewalls@net.tamu.edu To: academic-firewalls@net.tamu.edu Subject: Traffic watcher for Token Ring networks I keep hearing that you need to protect against passing clear text passwords over the Internet. I have been told there currently is not any software to watch Internet protocol traffic on Token Ring networks, only Ethernet. Is this true? and if not, where might I find some software to watch? Any information would be appreciated. Connie Barling Data Security Administrator, Information Systems Illinois State University internet: csbarli@rs6000.cmp.ilstu.edu Campus Box 3470 voice: 309.438.8964 Normal, IL 61790-3470 fax: 309.438.3027 -------- From academic-firewalls-owner@net.tamu.edu Thu Sep 14 11:55:10 1995 Content-Type: text/plain Mime-Version: 1.0 (NeXT Mail 3.3 v118.2) Date: Thu, 14 Sep 95 11:51:06 -0500 From: Dave Hess Reply-To: academic-firewalls@net.tamu.edu To: academic-firewalls@net.tamu.edu Subject: Re: Traffic watcher for Token Ring networks > > I keep hearing that you need to protect against passing clear text passwords > > over the Internet. I have been told there currently is not any software to > > watch Internet protocol traffic on Token Ring networks, only Ethernet. Is > > this true? and if not, where might I find some software to watch? Any > > information would be appreciated. > > You should be able to 'sniff' token ring packets since 802.5 (Token Ring) > is a broadcast transport medium. HP 9000's come with a program called > nettl. Check it out. Also, tcplogger and udplogger work great on > a Sparc running SunOS 4.1.3 with a token ring interface. -Brad Token Ring is touted as being more secure than ethernet because your typical Token Ring card does not (or at least did not) support promiscuous mode or if you paid the extra money to get one that did, you couldn't do it without the permission of LAN Manager, et.al. Of course if you are not using LAN Manager and have a token ring interface that does support promiscuous (like above), then all bets are off. There are some things that you can do to help prevent password sniffing. On Ethernet you can use hubs with eavesdrop protection. This prevents a node on a LAN (assuming you have it architected properly) from listening in on other nodes' conversations via scrambling. On Token Ring the only hardware solution I know of is to use switches so that traffic is isolated. For protection against password sniffing outside your domain (or on Token Ring if you don't want to use switches) you can use a one time password system like S/Key for authentication. Or, if you want to trade out client and server software you can use things like stel, SSH, SRA telnet, etc. which basically use reusable passwords without exposing them in plaintext on the wire. These approaches can take a pretty big bite out of the password sniffing problem. Dave - --- David K. Hess Network Analyst David-K-Hess@tamu.edu Computing and Information Services - Network Group (409) 845-0372 (work) Texas A&M University -------- From academic-firewalls-owner@net.tamu.edu Thu Sep 14 12:15:20 1995 Date: Thu 14 Sep 1995 08:40 CT From: UDSD007@DSIBM.OKLADOT.STATE.OK.US (Mike.Andrews ) Reply-To: academic-firewalls@net.tamu.edu To: academic-firewalls@net.tamu.edu Subject: Re: Traffic watcher for Token Ring networks csbarli@rs6000.cmp.ilstu.edu (Connie Barling) wrote: > > I keep hearing that you need to protect against passing clear text passwords > over the Internet. I have been told there currently is not any software to > watch Internet protocol traffic on Token Ring networks, only Ethernet. Is > this true? and if not, where might I find some software to watch? Any > information would be appreciated. One {expensive} way to watch traffic on T/R LANs is to buy a Sniffer or equivalent; Network General sells Sniffers, and other vendors sell hardware/software combinations that do approximately the same thing. All that is required, AFAIK, is a Token-Ring Trace Adapter, or other Token-Ring card that can be put into promiscuous mode, and software to drive it. We bought a Sniffer, with Ethernet, Serial, and T/R interfaces, and use it heavily for troubleshooting. And yes, passwords do show up in the clear for non-Kerberized applications. - -- Mike Andrews udsd007@dsibm.okladot.state.ok.us Mgr., Tech. Support, Okla. Dept. of Transportation I must have been a very bad cockroach in a previous life: I came back as a _postmaster_. -------- From academic-firewalls-owner@net.tamu.edu Fri Sep 15 01:28:50 1995 Organization: Standard Bank of South Africa X-Confirm-Reading-To: "Mervin Pearce" X-Pmrqc: 1 X-Mailer: Pegasus Mail/Windows (v1.22) content-length: 3403 Date: Fri, 15 Sep 1995 08:22:19 +0000 From: "Mervin Pearce" Reply-To: academic-firewalls@net.tamu.edu To: academic-firewalls@net.tamu.edu Subject: Re: Traffic watcher for Token Ring networks > Date: Thu, 14 Sep 95 11:51:06 -0500 > From: Dave Hess > Reply-to: academic-firewalls@net.tamu.edu > To: academic-firewalls@net.tamu.edu > Subject: Re: Traffic watcher for Token Ring networks > > > > > I keep hearing that you need to protect against passing clear text passwords > > > over the Internet. I have been told there currently is not any software to > > > watch Internet protocol traffic on Token Ring networks, only Ethernet. Is > > > this true? and if not, where might I find some software to watch? Any > > > information would be appreciated. > > > > You should be able to 'sniff' token ring packets since 802.5 (Token Ring) > > is a broadcast transport medium. HP 9000's come with a program called > > nettl. Check it out. Also, tcplogger and udplogger work great on > > a Sparc running SunOS 4.1.3 with a token ring interface. -Brad > > Token Ring is touted as being more secure than ethernet because your > typical Token Ring card does not (or at least did not) support > promiscuous mode or if you paid the extra money to get one that did, you > couldn't do it without the permission of LAN Manager, et.al. > > Of course if you are not using LAN Manager and have a token ring > interface that does support promiscuous (like above), then all bets > are off. > > There are some things that you can do to help prevent password > sniffing. On Ethernet you can use hubs with eavesdrop protection. > This prevents a node on a LAN (assuming you have it architected > properly) from listening in on other nodes' conversations via > scrambling. On Token Ring the only hardware solution I know of is to > use switches so that traffic is isolated. > > For protection against password sniffing outside your domain (or on > Token Ring if you don't want to use switches) you can use a one time > password system like S/Key for authentication. Or, if you want to > trade out client and server software you can use things like stel, > SSH, SRA telnet, etc. which basically use reusable passwords > without exposing them in plaintext on the wire. > > These approaches can take a pretty big bite out of the password > sniffing problem. > > Dave > > --- > David K. Hess Network Analyst > David-K-Hess@tamu.edu Computing and Information Services - Network Group > (409) 845-0372 (work) Texas A&M University > > Token-ring is just as problematic as ethernet, I use Novell's LAN Analyzer to obtain information in real-time mode. Herewiths follows an extract from IBM Token-ring Network 16/4 Adapter Hardware Reference Library IBM#16F0545 / Guide to Operations. 'Note: This product is intended for use within a single establishment and within a single, homogeneous user population. For sensitive applications requiring isolation from each other, management may wish to provide isolated cabling or to encrypt the sensitive data before putting it on the network'. Regards ********************************************************** Mervin Pearce P.O.Box 598 IT Audit Specialist Boksburg e-mail: pearcem@orion.sbic.co.za 1460 Tel +27 (011) 636-8173 South Africa Fax +27 (011) 636-4058 Cel: 082-255-5356 ********************************************************** -------- From academic-firewalls-owner@net.tamu.edu Fri Sep 15 03:51:49 1995 X-Real-Sender: CH Organization: University of Oxford X-mailer: Pegasus Mail v3.22 Date: Fri, 15 Sep 1995 09:48:02 GMT0BST From: Mark Walters Reply-To: academic-firewalls@net.tamu.edu To: academic-firewalls@net.tamu.edu Subject: RCPT: Re: Traffic watcher for Token Ring networks Confirmation of reading: your message - Date: 15 Sep 95 8:22 To: academic-firewalls@net.tamu.edu Subject: Re: Traffic watcher for Token Ring networks Was read at 9:48, 15 Sep 95. Mark =================================================================== Mark Walters | Mark.Walters@admin.ox.ac.uk Network Administrator | University Offices | Wellington Square | Tel: +44 (0)1865 270246 Oxford OX1 2JD | FAX: +44 (0)1865 270708 =================================================================== PGP key fingerprint C5 05 C9 DF 0A D6 8C 08 50 CE B7 9F 52 36 2E 31 -------- From academic-firewalls-owner@net.tamu.edu Fri Sep 15 08:13:59 1995 Date: Fri, 15 Sep 1995 08:09:50 -0500 From: Willis Marti Reply-To: academic-firewalls@net.tamu.edu To: academic-firewalls@net.tamu.edu Subject: Re: Token Ring Traffic Watcher We bought a TR card that goes into promiscuous mode for a monitoring project. The "good" news is that most vendors don't support that capability, and the ones that did didn't know how to make it work (I had to talk to a senior person in their development group, who figured it out by reading their code). The "bad" news is that it works great and all the issues about reading passwords re-surface. It wasn't hard -- one card, one PC, one grad student & voila. - ------------------------------------------------------------------------------- Willis F. Marti Internet: willis@cs.tamu.edu Director, Computer Services Group, Dept of Computer Science, Texas A&M Univ.