-------- From academic-firewalls-owner@net.tamu.edu Wed Oct 16 11:29:18 1996 Date: Wed, 16 Oct 1996 10:52:12 -0500 (CDT) From: Reply-To: To: academic-firewalls@net.tamu.edu Subject: Scientific Discoveries Minimize Aging (DHEA) "Your Health Superstore is www.natureplus.com Take advantage of the amazing natural benefits of DHEA. In the search for the FOUNTAIN OF YOUTH, DHEA is a must README. "I can't wait 30 More years for the National Institute on Aging to save my ass." says Dr. Regelson, a leading DHEA researcher. From Medical Research by Dr. S.S.C.YEN; "DHEA in appropriate replacement doses appears to have remedial effects with respect to its ability to induce an anabolic growth factor, increase muscle strength and lean body mass, activate immune function, and enhance quality of life in aging men and women, with no significant adverse effects." Join the baby-boomer millions now enjoying Natural new energy from DHEA! Click on: http://dhea.natureplus.com -------- From academic-firewalls-owner@net.tamu.edu Wed Oct 16 22:12:01 1996 Content-Type: text Date: Wed, 16 Oct 1996 22:48:55 -0400 (EDT) From: Tim Miley To: academic-firewalls@net.tamu.edu Subject: Suggestion: A moderator I just got something from NaturePlus addressed from academic firewalls. Methinks the group needs a moderator... ...and given the low traffic, participants and discussion would be a plus. Tim -------- From academic-firewalls-owner@net.tamu.edu Thu Oct 17 08:37:38 1996 Date: Thu, 17 Oct 1996 09:04:26 -0400 From: gary flynn To: academic-firewalls@net.tamu.edu Subject: Re: Suggestion: A moderator I don't think a moderator is necessary on a list with about one message a week if that. -------- From academic-firewalls-owner@net.tamu.edu Thu Oct 17 09:13:34 1996 Date: Thu, 17 Oct 1996 09:05:05 -0500 From: Doug Hughes To: academic-firewalls@net.tamu.edu Subject: Re: Suggestion: A moderator FYI: Bob 'willie' williams @ moneyworld.com is the same person who put out the CHAG announcement a couple of months ago that spammed the net, and the same person who does all the moneyworld.com stuff that is continuing to spam the net. MCI (his original service provider) discontinued his service as an ISP for violating some kind of agreement after getting bombarded with spam complaints (abuse@mci.net). I have a filter setup on our central mail server (procmail - global) that bounces anything from moneyworld.com or healthworld.com or natureplus.com to willie@moneyworld.com, dyno@cyberspace.com, abuse@Psi.net (the service provider for natureplus, or abuse@sprintlink.net (service provider for moneyworld) It would perhaps be appropriate to setup the list so that only subscribers to the list are able to post. Most of these mass-remailer-software-crap programs don't bother subscribing to a group before trying to send mail to it. Face it, spam is on the rise. In the last 2 weeks I've gotten at least 5 pieces of separate junk-email (those are the ones that didn't get filtered out) And now a word from our sponsor... ;) - -- ____________________________________________________________________________ Doug -------- From academic-firewalls-owner@net.tamu.edu Thu Oct 17 11:26:34 1996 X-Sender: hendrtw@mallard cc: academic-firewalls@net.tamu.edu In-Reply-To: <199610170248.WAA31026@yakko.cs.wmich.edu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Date: Thu, 17 Oct 1996 11:13:49 -0500 (CDT) From: Dark_Skye To: academic-firewalls@net.tamu.edu Subject: Re: Suggestion: A moderator On Wed, 16 Oct 1996, Tim Miley wrote: > > I just got something from NaturePlus addressed from academic firewalls. > Methinks the group needs a moderator... > > ...and given the low traffic, participants and discussion would be a plus. > > Tim > I agree Tim I joined this group so I could learn and grow as a user..... lets just start discussing anything relative to the topic....like network art. of any sort...ANYTHING is better than spam!!! Dark_Skye ... / / #]=======||>>>>>>>>>>>>>>>>>>>>>>>>>>>> \ \ """ dost tou feel....lucky? "life is sexually transmitted" "blood and Perie GODDAMN IT!" -------- From academic-firewalls-owner@net.tamu.edu Thu Oct 17 12:08:46 1996 Content-Type: text Date: Thu, 17 Oct 1996 12:58:13 -0400 (EDT) From: Tim Miley To: academic-firewalls@net.tamu.edu Subject: Academic firewalls Ok. Here's something on topic: The University has always been a place of free exchange of ideas and communication. The internet has helped greatly. The problem with Internet Firewalls at academic institutions, as I see them, are the fact that they can easily squelch free expression in the interests of security. How would a system administrator implement firewalls in an academic setting so that the free exchange of ideas can take place without leaving the system open to internet Cracker riff-raff? Can most firewall products selectively analyze network traffic on the fly and determine what is and isn't legitimate uses? What do you block? What do you let through? Tim -------- From academic-firewalls-owner@net.tamu.edu Thu Oct 17 12:33:28 1996 Cc: academic-firewalls@net.tamu.edu Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-MD5: 4HZIhMphO2vrF2lGNl/7Dg== Date: Thu, 17 Oct 1996 10:21:54 -0700 From: jimaf@cs.uidaho.edu (Jim Alves-Foss) To: academic-firewalls@net.tamu.edu Subject: Re: Suggestion: A moderator > > I agree Tim I joined this group so I could learn and grow as a user..... > lets just start discussing anything relative to the topic....like network > art. of any sort...ANYTHING is better than spam!!! > > Dark_Skye OK, here is a starting topic for you. I have a couple of students currently working on a networking monitoring tool. This is based on the SNIF prototype I worked on a couple of years ago [http://www.cs.uidaho.edu/~jimaf/docs/snif.ps] One question that has come up during the development discussions is: What do people really want to know? In otherword, when monitoring the activity of your site, what information is of importance to you and what is not essential? In my case, I am primarily interested finding unauthroized servers and abnormal remote logins. I DO NOT want to look at packet contents or content streams, just want to find out the big picture of what is happening. Maybe even look at failed login attempts and doorknob-style attacks. - -Jim Alves-Foss, Director Laboratory for Applied Logic Computer Science Department University of Idaho (jimaf@cs.uidaho.edu) (208) 885-7232 (208) 885-9052 [FAX] -------- From academic-firewalls-owner@net.tamu.edu Thu Oct 17 13:31:06 1996 Cc: academic-firewalls@net.tamu.edu In-Reply-To: <199610171658.MAA17580@yakko.cs.wmich.edu>; from "Tim Miley" at Oct 17, 96 12:58 pm X-Mailer: ELM [version 2.3 PL11] Date: Thu, 17 Oct 96 12:22:29 MDT From: woods@ucar.edu (Greg Woods) To: academic-firewalls@net.tamu.edu Subject: Re: Academic firewalls\] > The University has always been a place of free exchange of ideas and > communication. The internet has helped greatly. The problem with Internet > Firewalls at academic institutions, as I see them, are the fact that they can > easily squelch free expression in the interests of security. To be honest, I really don't see what you're getting at here. Firewalls do not let some things through and block others based on content. You could have a *policy* that says you can't http to playboy.com, and you could say that is suppressing free expression maybe, but in that case, it's the policy, not the firewall, that's doing the suppressing. I don't think the mere existence of a firewall constitutes stifling of free expression. - --Greg -------- From academic-firewalls-owner@net.tamu.edu Thu Oct 17 13:28:32 1996 Cc: academic-firewalls@net.tamu.edu Date: Thu, 17 Oct 1996 14:20:16 -0400 From: paw@northstar.dartmouth.edu To: academic-firewalls@net.tamu.edu Subject: Re: Suggestion: A moderator OK, here is a starting topic for you. I have a couple of students currently working on a networking monitoring tool. This is based on the SNIF prototype I worked on a couple of years ago [http://www.cs.uidaho.edu/~jimaf/docs/snif.ps] One question that has come up during the development discussions is: What do people really want to know? In otherword, when monitoring the activity of your site, what information is of importance to you and what is not essential? In my case, I am primarily interested finding unauthroized servers and abnormal remote logins. I DO NOT want to look at packet contents or content streams, just want to find out the big picture of what is happening. Maybe even look at failed login attempts and doorknob-style attacks. -Jim Alves-Foss, Director Laboratory for Applied Logic Computer Science Department University of Idaho (jimaf@cs.uidaho.edu) (208) 885-7232 (208) 885-9052 [FAX] I'd like to be able to get reports of "unusual" traffic patterns between machines. Perhaps this is a threshhold - I expect machine foo to be doing N ppm to bar, but K to baz (or not to baz at all) - if the count exceeds N by some factor, it's something I want to know. Or foo shouldn't be generating much traffic and if it does, that's an alert. I also would dearly love a way to know when a new device enters the network (more practically, a monitored subnet) - it's almost too easy to hop on some of our subnets these days, when ports abound and we're doing DHCP. [ Product plug here, sorry ] Dartmouth has developed a program called InterMapper (runs on a Mac) that does some of this quite nicely - more info at - though it's written from a network management/troubleshooting perspective, rather than a security angle. Pat Wilson paw@dartmouth.edu -------- From academic-firewalls-owner@net.tamu.edu Thu Oct 17 14:54:23 1996 Content-Type: text Date: Thu, 17 Oct 1996 15:25:06 -0400 (EDT) From: Tim Miley To: academic-firewalls@net.tamu.edu Subject: I see said the blind man I guess I was under the impression that a firewall totally blocked packets from the internal network, forcing the network user to actually connect to the firewall to addresss the outside net, virtually blocking the local net from the outside world. Can a firewall selectively filter packets that, for example, are aimed at a Novell server, without blocking the Novell user's ability to access the net. For example: Internet |---(Novell control packet)-->||Firewall|| Lan user Internet |---(HTTP transfer packet)--->||Firewall||----> Lan user Tim -------- From academic-firewalls-owner@net.tamu.edu Thu Oct 17 15:41:04 1996 Cc: academic-firewalls@net.tamu.edu In-Reply-To: <199610171925.PAA19901@yakko.cs.wmich.edu>; from "Tim Miley" at Oct 17, 96 3:25 pm X-Mailer: ELM [version 2.3 PL11] Date: Thu, 17 Oct 96 14:31:08 MDT From: woods@ucar.edu (Greg Woods) To: academic-firewalls@net.tamu.edu Subject: Re: I see said the blind man > I guess I was under the impression that a firewall totally blocked packets from > the internal network, forcing the network user to actually connect to the > firewall to addresss the outside net, virtually blocking the local net from the > outside world. Not necessarily; it depends on how your firewall is configured. In fact, by blocking only SYN packets inbound, you can prevent any external users from establishing TCP connections to your internal hosts, without restricting what the internal users connect to at all. One can argue about whether or not that is sufficiently safe, but again, it isn't the mere presence of a firewall that restricts your users, but rather the policies under which it is configured. Besides, even if users do have to use a proxy server on the firewall to get out, this is at worst an annoyance. This is hardly stifling of free expression, unless you go on to use the proxy server to restrict where they can connect to, which is not implied by the mere existence of a proxy. This is rather like the difference between having a noise ordinance, which may restrict the volume at which you can speak, vs. having a cop stop you due to the content of what you are saying. The former is not "stifling of free expression"; the latter is. > Can a firewall selectively filter packets that, for example, are aimed at a > Novell server, without blocking the Novell user's ability to access the net. I know zilch about Novell, so bear that in mind, but from your picture: > Internet |---(Novell control packet)-->||Firewall|| Lan user > > Internet |---(HTTP transfer packet)--->||Firewall||----> Lan user Any decent firewall should be able to do this; this is a restriction based on protocol type, which is a fairly standard capability for a firewall. - --Greg -------- From academic-firewalls-owner@net.tamu.edu Thu Oct 17 16:42:48 1996 X-MS-TNEF-Correlator: X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 Encoding: 61 TEXT, 59 UUENCODE X-MS-Attachment: WINMAIL.DAT 0 00-00-1980 00:00 Date: Thu, 17 Oct 1996 14:23:37 -0700 From: "Schmidt, Bill (MSED)" To: academic-firewalls@net.tamu.edu Subject: RE: Suggestion: A moderator I'm new to network security work, but here are a few things I'd like to be aware of: I'd like to know when someone attempts an ftp "put" (or mput), when only "get" is authorized for the IP address of the ftp server. I'd also like to know if someone attempts a tftp operation. I'd like to know if someone is trying to log on remotely to any server as "root", "admin", and "administrator". I'd like to know when someone is trying to modify any "pre-defined" files on any server. I'd like to know when modifications are attempted via SNMP. I'd like to know........much much more than I do now. Bill Schmidt - ---------- From: Jim Alves-Foss[SMTP:jimaf@cs.uidaho.edu] Sent: Thursday, October 17, 1996 10:21 AM To: academic-firewalls@net.tamu.edu Cc: academic-firewalls@net.tamu.edu Subject: Re: Suggestion: A moderator > > I agree Tim I joined this group so I could learn and grow as a user..... > lets just start discussing anything relative to the topic....like network > art. of any sort...ANYTHING is better than spam!!! > > Dark_Skye OK, here is a starting topic for you. I have a couple of students currently working on a networking monitoring tool. This is based on the SNIF prototype I worked on a couple of years ago [http://www.cs.uidaho.edu/~jimaf/docs/snif.ps] One question that has come up during the development discussions is: What do people really want to know? In otherword, when monitoring the activity of your site, what information is of importance to you and what is not essential? In my case, I am primarily interested finding unauthroized servers and abnormal remote logins. I DO NOT want to look at packet contents or content streams, just want to find out the big picture of what is happening. Maybe even look at failed login attempts and doorknob-style attacks. - -Jim Alves-Foss, Director Laboratory for Applied Logic Computer Science Department University of Idaho (jimaf@cs.uidaho.edu) (208) 885-7232 (208) 885-9052 [FAX] begin 600 WINMAIL.DAT M>)\^(A$5`0:0" `$```````!``$``0>0!@`(````Y 0```````#H``$(@ <` M& ```$E032Y-:6-R;W-O9G0@36%I;"Y.;W1E`#$(`0F `0`A````1D$S,3,W M.$)&-S(W1# Q,4)#034T-#0U-3,U-# P,# `Z 8!(( #``X```#,!PH`$0`. M`!\`#P`$`"X!`06 `P`.````S <*`!$`#@`7`"4`! `\`0$-@ 0``@````(` M`@`!!( !`!P```!213H@4W5G9V5S=&EO;CH@02!M;V1E`' ``0```!P```!213H@ M4W5G9V5S=&EO;CH@02!M;V1E/,C4U`H * M@0VQ"V#@;F0) 96T%, 0@ M`Y$!@'"((")P'J B("@%L;LD0!Z@*1YP(S,"(&P>$'PB9Q(`)4 $`!\0'J!H M^06P:7H)@!]P!;$?P!\`Y$E0'Q!D9!>0!!$A@"1_A'.+W%R P M< (@(!>0!& D(":!OQSQ`' >$"G4'Q $("(#8-4Q8"(><"(HH&T+@#,A?P!P M(% S5 0`," D``6P(O\N#R,.+_L$80:0'A Q\B4`?1>0+0VQ"X )@"5 .1!L M/P>1,0$Q^#4?(P8W\VECWRVS)'$>\B04)\%V!S &`%A.35 ZOR,`+C^U;?YU M$; ED$!#!; @H1' `Z!X22!D'0$_D0J%"H5"VP,0`R!3$; S@&0%0$)F(PJ+ M(' Q.# "T6DM>#$T- WP#-!%HPM9,:XV"J #8"0@8P5 +4?'KPJ'1GL,,$=& M1@-A.DC.LT=&#((@2@=P$W!L*@`0<)I/1Y!O(/ %P#$W M'G 0,3DY-E0P,#HRF1Q004U/#TE]5&]13]]+NP#0** D,#R0+3D0%Y#3(3!# M`'- '2$N`9! ,.=.LE5?27U#8U=_6(]9G\=:KUN_4(=U8FI'@5UOV4N[4F5C MH&,P9R; -)#[+=%CH$$WXBV2!;!#ST33?#,V1D<4(@P!1T8*A3Y[:BA!<&$) MPE,03)%!<&K^;SDB'[($( G "& IL1T`TT%P!:!U;"!190K .?+?(%!L\0?@ M,J$?8'4IT3^S]VHW.: D86IO0 5 -) *P/\%0#@0!/!O0 "0,&$Q\1_#?S$A M"V MP"H`'.(H,ASP65"#/D*A4]+'G >TR<2 M0A@*C!!(=%C!2!& #`#31,%0&\/\J,%,@)Q%W4C*@)\$Q`2@RL3Y M248@1T(Q8'DM@/]!88!YA"1^BGI $=%K81T`?EMHS1PQ#& 7<$=%1/!N"FL@ M4&@"0' Z+R]*=XKP+DXK+WY-PR\309!.("]S`P!F+G"O% ;S DX+].T(+$*$$-L"H`%R!P!X"_`C!Q5SSB! `A MI@J%5Y 2_T&1+8 M<'[A%Y!@(1X1`'!K!4 UU3]"#$DF02@Q$/\\H!'P'G!K41R0%?!-T040 M_R:!"X!WL68!)\(+@#@0,&'\=6XG0@-@)Z,IU"1R*H'^8C80FX$#( J%,30P ML@N DTXP06%$3P>P3U25I]T7(&\=@) A"K!C() %0'\%H*(Q?Y(%L:C57[A) &H M<4XP>F_M0CDM3(P><$1?X5/19R9\($P!H 6P-,(>$"?R0=>N0"!P)\%,IF%C MMM8(4)\EHC)Q0S (D)U"1&4*L79TDC*VUE4#`*12F=5)VTYRMM8H3<].T"F\ M]P'0@#@I(#@X-2T!P(0S,K[/+3DP-1(@\%M&05A.]F>O1D<;Q0MIO1:Q`,60 M```#`#8```````,`)@```````@'Y/P$````>`````````-RG0,C 0A :M+D( M`"LOX8(!`````````"X````>`/@_`0```!4```!3>7-T96T@061M:6YI X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 Encoding: 53 TEXT, 57 UUENCODE X-MS-Attachment: WINMAIL.DAT 0 00-00-1980 00:00 Date: Thu, 17 Oct 1996 14:38:44 -0700 From: "Schmidt, Bill (MSED)" To: academic-firewalls@net.tamu.edu Subject: RE: Academic firewalls Firewalls can be an incredible tool in keeping hackers out, if they are properly configured. At the same time, they will allow the free flow of information. This freely flowing information will be the information that you want to flow, not password lists and other info that hackers want to get at. First, and understanding of the TCP/IP protocol is needed. An excellent book is Douglas E. Comer's "Internetworking with TCP/IP" ISBN# 0-13-216987-8. Second, a basic understanding of Firewalls is needed. I like "PC Week Intranet and Internet Firewall Strategies" as a basic, easy reading guide ISBN# 1-56276-422-5. It's by Edward Amoroso and Ralph Sharp from Ziff-Davis Press. The well known "Firewalls and Internet Security - Repelling the Wily Hacker" by Cheswick and Bellovin is also very good ISBN # 0-201-63357-4. Free utilities such as TCP Wrapper and Tripwire will also help you protect your systems. check out ftp://cert.org/pub/tools/tcp_wrappers/ and ftp://cert.org/pub/tools/tripwire/ Bill Schmidt - ---------- From: Tim Miley[SMTP:tmiley@yakko.cs.wmich.edu] Sent: Thursday, October 17, 1996 9:58 AM To: academic-firewalls@net.tamu.edu Subject: Academic firewalls Ok. Here's something on topic: The University has always been a place of free exchange of ideas and communication. The internet has helped greatly. The problem with Internet Firewalls at academic institutions, as I see them, are the fact that they can easily squelch free expression in the interests of security. How would a system administrator implement firewalls in an academic setting so that the free exchange of ideas can take place without leaving the system open to internet Cracker riff-raff? Can most firewall products selectively analyze network traffic on the fly and determine what is and isn't legitimate uses? What do you block? What do you let through? Tim begin 600 WINMAIL.DAT M>)\^(@(5`0:0" `$```````!``$``0>0!@`(````Y 0```````#H``$(@ <` M& ```$E032Y-:6-R;W-O9G0@36%I;"Y.;W1E`#$(`0F `0`?````,S(S-SA" M1C!&2<[R[`1X`< `!````%P```%)%.B!!8V%D96UI M8R!F:7)E=V%L;',```(!<0`!````%@````&[O'.1I8LW,@,G]Q'0O*5$15-4 M``````,`!A!O5JU4`P`'$ $&```>``@0`0```&4```!&25)%5T%,3%-#04Y" M14%.24Y#4D5$24),151/3TQ)3DM%15!)3D=(04-+15)33U54+$E&5$A%64%2 M15!23U!%4DQ90T].1DE'55)%1$%45$A%4T%-151)344L5$A%65=)3$Q!```` M``,`$! ``````P`1$ `````"`0D0`0```"H&```F!@``6PH``$Q:1G4IQE*; M_P`*`0\"%0*D`^0%ZP*#`% 3`U0"`&-H"L!S973N,@8`!L,"@S(#Q@<3`H/6 M,P]_$(P=P= ; 0@8P.18KQE( .1"X %``F :0)@F1V =&\&\!W!(&L) MX-)P"X!G(!' 8Q\`$>!2( A@="P=P&8><&A,97D=D!>P(' #8' -!)!L(+ % MH&YF:6=S"' )@"X@$W %0""!(/QS80> 'G '<2 P((,#\/<<\!V0'/!O!^ B MH@-0">"[), D4F\@8 N `A!R`,#G(S "(")!5&@$`"3#(7'_)2(?0B6I(]0= M<2*B)\H@@'DF`"!Y"& CT !P(H%O#'#; B,P.@97AC)P`> M4%,JL0;@;VLS(D0(8&<["V $($4B0 A0!X!R)WD$("))`C $D1(`*_%K#Q]" M`_ @@#(E(B!)4P!"3B,@,"TQ,P`M,C$V.3@W+>XX+TT&8"&A9#"!'6 KP-QI M8S#?'(DS.DDL,1\`X39@4$,@5PG@-/ V@?YR`' N\BRQ-H8@G-:\&-P M7WYW501;0"R36=]:YU7%+U4O7$(C\E,1L&U#0'1'+UP*BRQ ,3@P`M%I^3C M-#0-\ S08I,+510B]SD0"J!7A2UDMPJ'8VL,,/=7=E- `W Z9;Y7=@R")G / M!W %T ,0(*!;4TU4&% Z=& `:=% >6&@:VMO+F-(D'=@`.41L"X)@'5=95]F M;09@%P(P9Y]HK&@(<'-D86IY(#!/5\!O'7 %P#$"-R P,3DY-B Y:#HU.!-P M36P/9FU4?F]N3VBK`-!"P%B .T M*R'0'+5 -M$N`9!M=>]KLG)/;1Y:T&I7 ML71O:*L^0795), J!@K4F250,`4''_`)!,81' 4 (04> -X/_-H8OR$K&+P%\E@N +& WD/M3D0(@R/Q#U#= _+UQ#`Y$$8"Q@?0?_ M(0)KT%? 5!$G`%>QA&$A7H=@#;5'G"C@O\[02G3)0(@L)>&++$- ML#:A/YBA2;$J$D_R++$$`&XG/Y_R03 C,4$!.V 1\',_]2)05RH29"KP*E(" M8#+@_FNLL"]4"*"`V U8%YHH\T'82]<%M$`LJ ```,`-@```````P`F M```````"`?D_`0```!X`````````W*= R,!"$!JTN0@`*R_A@@$````````` M+@```!X`^#\!````%0```%-YOn Wed, 16 Oct 1996, Tim Miley wrote: > >> >> I just got something from NaturePlus addressed from academic firewalls. >> Methinks the group needs a moderator... >> >> ...and given the low traffic, participants and discussion would be a plus. >> >> Tim >> Hell I almost forgot that I even subsribed to this mailing list its been so long sence I got a message from it. Anyone here anything about the SideWinder Firewall for NT? backlash@primenet.com -------- From academic-firewalls-owner@net.tamu.edu Thu Oct 17 17:08:34 1996 X-Authentication-Warning: banach.math.purdue.edu: Host localhost.purdue.edu [127.0.0.1] didn't use HELO protocol In-reply-to: Your message of Thu, 17 Oct 1996 12:22:29 MDT. Date: Thu, 17 Oct 1996 16:58:54 -0500 From: sjh@MATH.Purdue.EDU Reply-To: sjh@MATH.Purdue.EDU To: academic-firewalls@net.tamu.edu Subject: Re: Academic firewalls\] Greg Woods wrote: > > > The University has always been a place of free exchange of ideas and > > communication. The internet has helped greatly. The problem with Inter > net > > Firewalls at academic institutions, as I see them, are the fact that the > y can > > easily squelch free expression in the interests of security. > > To be honest, I really don't see what you're getting at here. Firewalls > do not let some things through and block others based on content. You > could have a *policy* that says you can't http to playboy.com, and you > could say that is suppressing free expression maybe, but in that case, > it's the policy, not the firewall, that's doing the suppressing. I don't > think the mere existence of a firewall constitutes stifling of free > expression. > > --Greg I'm not sure if the original poster had this in mind, but I interpreted the message as addressing the problem that we would have with a firewall, if we understand it correctly (and that is not certain). We have the impression that to get the best security from a firewall certain services from our hosts would be blocked to access from hosts outside of our subnet. Those services might include telnet and rlogin (a policy decision, to be sure, but a reasonable one). If that is the case our faculty, who travel to many unpredictable places throughout the world, would have "difficulty" logging in from there to here. Difficulty is a subjective term, in that what is difficult for some faculty would not be a problem for others. What kinds of difficulties would they experience? Would it just be a matter of obtaining authentication on the firewall before doing an rlogin to a host behind the firewall? Ftp and http would probably be allowed only to a machine set up for that purpose on a host on the outside of the firewall. Would that cause problems for those using hosts behind the firewall in updating their home pages? If one certain faculty member who does image compression research wanted to ftp images from here to where he happens to be in Europe or South America, but the images aren't on the ftp host, he would have to rlogin to his home machine (through whatever "difficulties" that poses), do whatever magic he has to do to get the images to the ftp host, then ftp them to his location? With several tens of megabytes that might be "too difficult". Eh? This might be construed as limiting the free exchange of ideas and communication. Steve. ========================================================= Steve Holmes \Internet:sholmes@purdue.edu Systems Administrator \WWW: www.math.purdue.edu/~sjh Purdue University \Phone: (317) 494-6055 1395 Mathematics Building \Fax: (317) 494-0548 West Lafayette IN 47907-1395\ ========================================================= -------- From academic-firewalls-owner@net.tamu.edu Thu Oct 17 17:21:04 1996 X-Authentication-Warning: banach.math.purdue.edu: Host localhost.purdue.edu [127.0.0.1] didn't use HELO protocol In-reply-to: Your message of Thu, 17 Oct 1996 14:20:16 -0400. Date: Thu, 17 Oct 1996 17:12:50 -0500 From: sjh@MATH.Purdue.EDU Reply-To: sjh@MATH.Purdue.EDU To: academic-firewalls@net.tamu.edu Subject: Re: Suggestion: A moderator What I would like is a tool similar to Pat Wilson's request, but just for isolating trafic bottlenecks. etherman doesn't show everything, and too much. When people start knocking on my door and calling my phone saying the network is *very* slow (which I might have noticed :-) I need to find out what is going on fast. top on all the servers usually shows nothing going on so it must be simple network use somewhere. Probably an NFS copy but from where to where, by whom. Thanks, Steve. ========================================================= Steve Holmes \Internet:sholmes@purdue.edu Systems Administrator \WWW: www.math.purdue.edu/~sjh Purdue University \Phone: (317) 494-6055 1395 Mathematics Building \Fax: (317) 494-0548 West Lafayette IN 47907-1395\ ========================================================= -------- From academic-firewalls-owner@net.tamu.edu Thu Oct 17 18:26:54 1996 cc: academic-firewalls@net.tamu.edu, academic-firewalls@net.tamu.edu In-Reply-To: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Date: Thu, 17 Oct 1996 19:15:01 -0400 (EDT) From: David Temple To: academic-firewalls@net.tamu.edu Subject: Re: Suggestion: A moderator How many people (approx.) are in this group? I have been subscribed for a couple of months and have only received one message, not counting the last two days. This has nothing to do with firewalls, but since nobody posts messages about firewalls anyway, what the heck. Does anyone have Netware and NT coexisting on the same network? If so what are the benefits and what problems have you run into? We currently have two IBM PC Server 720's with Netware 4.1 SMP ( soon to be upgraded to Intranetware ), and we are adding a third like server with NT4.0 (The BOSS wants it). I am just curious as to what I may run in to. Also, does anyone know of a limit for objects within a container in Netware 4.1? ****************************************************************************** ______________________________________________________________________________ DAVE TEMPLE AUIS Network Specialist Phone (419) 289-5606 Fax (419) 289-5884 E-Mail dtemple@ashland.edu URL http://www.ashland.edu/~dtemple ______________________________________________________________________________ ****************************************************************************** -------- From academic-firewalls-owner@net.tamu.edu Thu Oct 17 20:19:01 1996 X-Sender: sopwith@helix.cs.cuc.edu In-Reply-To: <199610171658.MAA17580@yakko.cs.wmich.edu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Date: Thu, 17 Oct 1996 21:10:07 -0400 (EDT) From: Elliot Lee To: academic-firewalls@net.tamu.edu Subject: Re: Academic firewalls On Thu, 17 Oct 1996, Tim Miley wrote: > The University has always been a place of free exchange of ideas and > communication. The internet has helped greatly. The problem with Internet > Firewalls at academic institutions, as I see them, are the fact that they can > easily squelch free expression in the interests of security. How would > a system administrator implement firewalls in an academic setting so that > the free exchange of ideas can take place without leaving the system open > to internet Cracker riff-raff? > > Can most firewall products selectively analyze network traffic on the fly > and determine what is and isn't legitimate uses? What do you block? > > What do you let through? Here are a few things that I would think apply to traffic that should be blocked: - - Attempting to use many different services in a short period of time. (Portscanning) - - Attempting to access many different hosts in a short period of time. (Another form of portscanning) - - Attempting to access *anything* to an extreme - for example more than X% of bandwidth or packets from a source outside of your own network. Now that handles some cases, but what about someone using ypsnarf to get your NIS domain (if you use NIS, that is...) I think a service-by-service review might be best in cases like this... BTW if anyone has any ideas for firewalls, or just increasing security in general, in an academic environment, please pass them on to me - they are needed :-) Thanks, - -- Elliot http://www.redhat.com/ -------- From academic-firewalls-owner@net.tamu.edu Thu Oct 17 20:24:05 1996 Comments: Authenticated sender is <6ke2@qlink.queensu.ca> MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT X-mailer: Pegasus Mail for Windows (v2.40) Date: Thu, 17 Oct 1996 21:15:31 +0000 From: "Kevin Everets" <6ke2@qlink.queensu.ca> To: academic-firewalls@net.tamu.edu Subject: Re: Academic firewalls and Residence Rooms First I'd like to say that it's good to see some useful activity here, even if it is the result of spam. But moving on... My question deals with what is happening at the University I am currently attending, as well as many other University settings that I know of. We have the pleasure of being linked directly to the University network through Ethernet cards in our Residence rooms (that is to say our own computers are being hooked up to allow access to the internet as a whole, among other computers). A question then arises as to the security of this for not only the University's computers, but for the computers of the students. What is the best implementation of a firewall to protect the individuals without disturbing the community as a whole? Just curious... Kevin Everets. -------- From academic-firewalls-owner@net.tamu.edu Thu Oct 17 21:08:16 1996 X-Sender: sopwith@helix.cs.cuc.edu cc: academic-firewalls@net.tamu.edu In-Reply-To: <199610171925.PAA19901@yakko.cs.wmich.edu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Date: Thu, 17 Oct 1996 21:51:55 -0400 (EDT) From: Elliot Lee To: academic-firewalls@net.tamu.edu Subject: Re: I see said the blind man On Thu, 17 Oct 1996, Tim Miley wrote: > > I guess I was under the impression that a firewall totally blocked packets from > the internal network, forcing the network user to actually connect to the > firewall to addresss the outside net, virtually blocking the local net from the > outside world. > > Can a firewall selectively filter packets that, for example, are aimed at a > Novell server, without blocking the Novell user's ability to access the net. > > For example: > > > Internet |---(Novell control packet)-->||Firewall|| Lan user > > Internet |---(HTTP transfer packet)--->||Firewall||----> Lan user There are different types of firewalls. Some, known as proxies, fulfill your traditional expectation. Others, known as packet filters, filter TCP/IP packets out while still allowing systems to appear "on the net". Still others, known as circuit-level filters, are halfway in between. Generally packet filters provide the least interference with connectivity, but they do have some potential security problems. - -- Elliot http://www.redhat.com/ -------- From academic-firewalls-owner@net.tamu.edu Thu Oct 17 21:20:11 1996 Cc: academic-firewalls@net.tamu.edu In-Reply-To: from "Elliot Lee" at Oct 17, 96 09:10:07 pm Content-Type: text Date: Thu, 17 Oct 1996 22:10:48 -0400 (EDT) From: John Studarus To: academic-firewalls@net.tamu.edu Subject: Re: Academic firewalls Check out Argus (ftp.sei.cmu.edu/pub/argus) as an intrusion detection system. I had v1.4 (current version is 1.5) running on an DEC Alpha listing to a FDDI/T3 network. Argus basically provides you with session information (rather than individual packets). I had a perl script that looked for interesting things (such as IP Spoofing, tftp, strobes, etc). The secret is finding a machine that can keep up with the network traffic! =) -John > > On Thu, 17 Oct 1996, Tim Miley wrote: > > > Can most firewall products selectively analyze network traffic on the fly > > and determine what is and isn't legitimate uses? What do you block? > > > > What do you let through? > > Here are a few things that I would think apply to traffic that should be > blocked: > > - Attempting to use many different services in a short period of time. > (Portscanning) > > - Attempting to access many different hosts in a short period of time. > (Another form of portscanning) > > - Attempting to access *anything* to an extreme - for example more than X% > of bandwidth or packets from a source outside of your own network. > > Now that handles some cases, but what about someone using ypsnarf to get > your NIS domain (if you use NIS, that is...) > > I think a service-by-service review might be best in cases like this... > > BTW if anyone has any ideas for firewalls, or just increasing security in > general, in an academic environment, please pass them on to me - they > are needed :-) > > Thanks, > -- Elliot > > http://www.redhat.com/ > -------- From academic-firewalls-owner@net.tamu.edu Thu Oct 17 23:11:06 1996 X-Sender: shava@mailhost.continet.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Cc: academic-firewalls@net.tamu.edu Date: Thu, 17 Oct 1996 22:59:47 -0500 (CDT) From: shava@netprophets.net (Shava Nerad) To: academic-firewalls@net.tamu.edu Subject: Re: Academic firewalls\] At 12:22 PM 10/17/96, Greg Woods wrote: >> The University has always been a place of free exchange of ideas and >> communication. The internet has helped greatly. The problem with Internet >> Firewalls at academic institutions, as I see them, are the fact that they can >> easily squelch free expression in the interests of security. > >To be honest, I really don't see what you're getting at here. Firewalls >do not let some things through and block others based on content. ... I don't >think the mere existence of a firewall constitutes stifling of free >expression. If you block mud traffic, for example, you are blocking instructional muds as well as furrymuck. This is a policy -- but the initial policy is that you installed the firewall, which is (presumably) thereto block *something* rather than just to add a layer of latency to torture the students...;) (yes, I'm at a commercial company now, but I'm a former U/Mass, MIT, UNC, and UO geek... Can I still play? ;) Shava Nerad http://www.efn.org/~shava/ shava@netprophets.net 541 541-9600 (toll free 888 597-5354) President, Net Prophets, Inc. http://www.netprophets.net/ Internet, intranet, and web design services -------- From academic-firewalls-owner@net.tamu.edu Thu Oct 17 23:14:50 1996 X-Sender: shava@mailhost.continet.com Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 17 Oct 1996 23:05:47 -0500 (CDT) From: shava@netprophets.net (Shava Nerad) To: academic-firewalls@net.tamu.edu Subject: Re: I see said the blind man At 3:25 PM 10/17/96, Tim Miley wrote: >I guess I was under the impression that a firewall totally blocked packets from >the internal network, forcing the network user to actually connect to the >firewall to addresss the outside net, virtually blocking the local net from the >outside world. I think what you may be thinking of is called a "proxy" server. Shava Nerad http://www.efn.org/~shava/ shava@netprophets.net 541 541-9600 (toll free 888 597-5354) President, Net Prophets, Inc. http://www.netprophets.net/ Internet, intranet, and web design services -------- From academic-firewalls-owner@net.tamu.edu Fri Oct 18 01:04:57 1996 Cc: academic-firewalls@net.tamu.edu In-Reply-To: from "Elliot Lee" at Oct 17, 96 09:10:07 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Date: Thu, 17 Oct 1996 22:54:42 -0700 (PDT) From: dennis@nebulus.net (Dennis Breckenridge) To: academic-firewalls@net.tamu.edu Subject: Re: Academic firewalls A being tickled my SMTP port calling themselves Elliot Lee and sez: > > On Thu, 17 Oct 1996, Tim Miley wrote: > > > What do you let through? > > Here are a few things that I would think apply to traffic that should be > blocked: > > - Attempting to use many different services in a short period of time. > (Portscanning) So set up a simple perl script like gabriel and let it warn you that you are being probed. Not forward looking but very effective. > - Attempting to access many different hosts in a short period of time. > (Another form of portscanning) Send all your denial of service attacks to a log processor like swatch and script it right to capture the IP addresses so when you have the time (and most of us do not) track em down. > - Attempting to access *anything* to an extreme - for example more than X% > of bandwidth or packets from a source outside of your own network. Same answer. > Now that handles some cases, but what about someone using ypsnarf to get > your NIS domain (if you use NIS, that is...) If you run YP (aka NIS) you really have a handful of security issues that need to be attended too. Keeping NIS quiet about your domain is akin to stopping a baby from leaking in their diaper, its not an easy job but if you change it rapidly, its not too bad. > I think a service-by-service review might be best in cases like this... Well it depends if you run a "Internet" service provider a "hardened" site. > BTW if anyone has any ideas for firewalls, or just increasing security in > general, in an academic environment, please pass them on to me - they > are needed :-) In the acedemic environment (and you will be a target), play the sandbox game. Set up a machine that allows your users to play in, easy to break into, and get bored to find a harder site. Make sure you track the attempts and log them (just in case). You will find that the "crackers" get tired rapidly and tell all their friends that breaking into YOUR site is boring and easy so there is no challenge. They will then try and hit something like a freenet box to solve their thirst in hacking. - -- - ------------------------------------------------------------------------------- Dennis Breckenridge Consider the benevolence of technology and the notion of dennis@nebulus.net progress in the world we live in. Where is the balance? - ------------------------------------------------------------------------------- -------- From academic-firewalls-owner@net.tamu.edu Fri Oct 18 01:55:59 1996 CC: dan@ttisms.com Date: Thu, 17 Oct 1996 23:41:47 PDT From: Daniel Esbensen To: academic-firewalls@net.tamu.edu Subject: Re: Academic firewalls Hi, Our INTOUCH NSA - Network Security Agent security tool provides continious network surveillance of all user (content-based) activity. All user sessions are reconstructed and scanned in real-time for suspicious or inappropriate activity (you can define this using a rules-based engine). When incidents occur, user-defined actions can be taken! For more information: security@ttinet.com Or http://www.ttinet.com/ Dan E. Director of Advanced Research Touch Technologies, Inc. -------- From academic-firewalls-owner@net.tamu.edu Fri Oct 18 02:26:51 1996 X-Mailer: Mozilla 3.0Gold (Win16; I) MIME-Version: 1.0 CC: academic-firewalls@net.tamu.edu Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Fri, 18 Oct 1996 08:02:54 -0700 From: lazat@micro.se Reply-To: lazat@micro.se To: academic-firewalls@net.tamu.edu Subject: academic-firewalls@net.tamu.edu unsubscrive lazat@micro.se -------- From academic-firewalls-owner@net.tamu.edu Fri Oct 18 04:29:22 1996 X-Sun-Charset: US-ASCII Date: Fri, 18 Oct 1996 10:09:57 +0000 From: Danny Cox To: academic-firewalls@net.tamu.edu Subject: Re: Academic firewalls and Residence Rooms > But moving on... My question deals with what is happening at the > University I am currently attending, as well as many other University > settings that I know of. We have the pleasure of being linked > directly to the University network through Ethernet cards in our > Residence rooms (that is to say our own computers are being hooked up > to allow access to the internet as a whole, among other computers). > A question then arises as to the security of this for not only the > University's computers, but for the computers of the students. What > is the best implementation of a firewall to protect the individuals > without disturbing the community as a whole? Howsabout placing all these student machines on one network or subnetwork and firewalling them off from the rest of the university? It means that they're vulnerable to each other of course, but not to the rest of the uni. -------- From academic-firewalls-owner@net.tamu.edu Fri Oct 18 04:29:20 1996 X-Sun-Charset: US-ASCII Date: Fri, 18 Oct 1996 09:57:48 +0000 From: Danny Cox To: academic-firewalls@net.tamu.edu Subject: Re: Academic firewalls > The University has always been a place of free exchange of ideas and > communication. The internet has helped greatly. The problem with Internet > Firewalls at academic institutions, as I see them, are the fact that they can > easily squelch free expression in the interests of security. How would > a system administrator implement firewalls in an academic setting so that > the free exchange of ideas can take place without leaving the system open > to internet Cracker riff-raff? I let the basics through here .. that is http ftp telnet smtp and that's yer lot. That's plenty enough to share ideas etc although if folk are wanting to play with exotic protocols, then that's a different matter. Not that anyone does, where I am, so it's less of an issue. Further out, beyond our department here, the university uses filtering routers and broadly lets out most stuff. That seems plausible to me ... if we have a series of sub-nets which are all firewalled, and the main network belonging to the university is more loosely controlled, then anyone wishing to experiment or use something which firewall admins might want to block, can setup a machine outside the departmental firewall and access others using cuseeme or realaudio or whatever .. > > Can most firewall products selectively analyze network traffic on the fly > and determine what is and isn't legitimate uses? What do you block? > I'd say that they can, yes. In general, most firewall products start with everything blocked and open up things a step at a time. That's a different emphasis from 'what do you block?' .. rather it's 'what do you allow?' Cheers Danny ps .. good grief, a discussion on this list! -------- From academic-firewalls-owner@net.tamu.edu Fri Oct 18 06:06:12 1996 X-Sun-Charset: US-ASCII Date: Fri, 18 Oct 1996 09:13:31 +0100 From: "Duncan Bruce Brannen" To: academic-firewalls@net.tamu.edu Subject: Intermapper > From academic-firewalls-owner@net.tamu.edu Thu Oct 17 23:23 BST 1996 > [ Product plug here, sorry ] > Dartmouth has developed a program called InterMapper (runs on a Mac) that > does some of this quite nicely - more info at > - though it's > written from a network management/troubleshooting perspective, rather than > a security angle. > > Pat Wilson > paw@dartmouth.edu One of the Sys. Admin's here is using it, or at least the evaluation copy & he likes it lots, It seems really easy to use & presents info consisively, (if that's the word to use & how it's spelt :) More so than certain commercial packages I'm trying to learn how to use... I'd recommend having a look. Dunk [PS Pat, You can send me my commision in the post :] > -------- From academic-firewalls-owner@net.tamu.edu Fri Oct 18 06:21:56 1996 Organization: University of Ulster X-mailer: Pegasus Mail for Windows (v2.23) Date: Fri, 18 Oct 1996 12:09:12 GMT From: "GOULDING CP" To: academic-firewalls@net.tamu.edu Subject: Proxy servers in Java Hello, I'm currently researching platform independant firewalls in Java, is there any one else out there doing something similar. Peter -------- From academic-firewalls-owner@net.tamu.edu Fri Oct 18 06:40:27 1996 Content-Type: text Date: Fri, 18 Oct 1996 07:33:51 -0400 (EDT) From: Tim Miley To: academic-firewalls@net.tamu.edu Subject: Academic firewalls and residence rooms It seems to me that most PCs in residence halls already have an advantage from their point of view that they don't offer multiuser potential (Unix/linux variations being the obvious exception). Blocking incoming control messages aimed at Windows 95 or Windows 3.11 might be helpful, but it would also preclude the students networking their computers together as well. On the university side, if I were administering such a network, I would try to filter packets aimed at yp, nis, etc, Novell control packets, and the like from machines that have no business trying to send such packets from dorm computers. Tim -------- From academic-firewalls-owner@net.tamu.edu Fri Oct 18 08:14:32 1996 cc: academic-firewalls@net.tamu.edu In-reply-to: Your message of Thu, 17 Oct 1996 21:10:07 -0400. Date: Fri, 18 Oct 1996 09:05:21 -0400 From: Paul Howell To: academic-firewalls@net.tamu.edu Subject: Re: Academic firewalls Elliot Lee writes: > Here are a few things that I would think apply to traffic that should be > blocked: > > - Attempting to use many different services in a short period of time. > (Portscanning) > > - Attempting to access many different hosts in a short period of time. > (Another form of portscanning) > > - Attempting to access *anything* to an extreme - for example more than X% > of bandwidth or packets from a source outside of your own network. > > Now that handles some cases, but what about someone using ypsnarf to get > your NIS domain (if you use NIS, that is...) > > I think a service-by-service review might be best in cases like this... > > BTW if anyone has any ideas for firewalls, or just increasing security in > general, in an academic environment, please pass them on to me - they > are needed :-) > > Thanks, > -- Elliot > > http://www.redhat.com/ > > While the original poster may have been considering content, I'd like to address another issue which is research. Say for example you're an EECS grad student at a university which encourages you to experiment, investigate, and try out new things. With that as the background, a student wishing to experiment and conduct investigations which mean no harm and are not malicious in nature, may trigger negative responses based on a pattern that may also appear in attempted breakins. Experimenting and breaking in are two very different items. Blocking traffic may hinder experimentation in a wide variety of legitimate areas, thus hindering a university's interests. It seems to me that putting firewalls up in a univeristy may be a fine idea, if you don't have any students that you're asking to experiment with new ideas/protocols/etc.. Thanks. Paul Howell Manager, Systems Group Computer Aided Engineering Network, The University of Michigan 2281 Bonisteel Drive - 1315b Media Union voice: (313)936-2486 Ann Arbor, MI 48109-2094 fax: (313)936-3107 -------- From academic-firewalls-owner@net.tamu.edu Fri Oct 18 08:14:32 1996 cc: academic-firewalls@net.tamu.edu In-reply-to: Your message of "Thu, 17 Oct 1996 22:54:42 PDT." Date: Fri, 18 Oct 1996 08:02:39 -0500 From: Martin Wolske To: academic-firewalls@net.tamu.edu Subject: Re: Academic firewalls In message you write: >In the acedemic environment (and you will be a target), play the >sandbox game. Set up a machine that allows your users to play in, >easy to break into, and get bored to find a harder site. Make sure >you track the attempts and log them (just in case). > >You will find that the "crackers" get tired rapidly and tell all their >friends that breaking into YOUR site is boring and easy so there is >no challenge. They will then try and hit something like a freenet >box to solve their thirst in hacking. > And what makes us freenet's a better target? Maybe we just play the "sandbox game" too :) Seriously, though, by implication setting up a machine to allow users to play in would suggest you have many others that are harder to break into. Why wouldn't the cracker realize this and try to break into those more challenging aspects of your network? I actually have a motive behind that question. So far, our entire freenet network has really been the sandbox. And generally we've not been hurt too bad by all the hackers who have chosen to play on our system, in part I would guess because it isn't too much of a challenge. I'm now planning on setting up a Cisco router independent of the Univ. of IL, whose network we are a part, to act as a packet filter. This will allow me to segment off certain servers, increasing security on these systems. But in the back of my mind, alarms are warning that I'm now creating a tempting hacker environment. Any thoughts out there on this? - -- Martin --------------------------------------------------------------------------- Martin Wolske, Prairienet Systems Administrator LIS Building, 501 E. Daniel, Champaign, IL 61820 Email: mwolske@prairienet.org URL: http://www.prairienet.org/~mwolske/ --------------------------------------------------------------------------- -------- From academic-firewalls-owner@net.tamu.edu Fri Oct 18 08:47:42 1996 Cc: academic-firewalls@net.tamu.edu In-Reply-To: from "Elliot Lee" at Oct 17, 96 09:10:07 pm X-Mailer: ELM [version 2.4 PL24 PGP3 *ALPHA*] Content-Type: text Date: Fri, 18 Oct 1996 09:38:30 -0400 (EDT) From: sspoon@clemson.edu Reply-To: sspoon@clemson.edu To: academic-firewalls@net.tamu.edu Subject: Re: Academic firewalls Elliot Lee wrote: > > On Thu, 17 Oct 1996, Tim Miley wrote: > > > The University has always been a place of free exchange of ideas and > > communication. The internet has helped greatly. The problem with Internet > > Firewalls at academic institutions, as I see them, are the fact that they can > > easily squelch free expression in the interests of security. How would > > a system administrator implement firewalls in an academic setting so that > > the free exchange of ideas can take place without leaving the system open > > to internet Cracker riff-raff? > > Let me just say that our college has begun doing this, too (putting ethernet in the dorms), and, while they will probably get security concious and start firewalling and such in the future, they haven't yet. The dorm networks are wide open, and the students are loving it. While it probably isn't as safe as a heavily firewalled network, it *is* very convenient for people who *want* their computers to have a lot of access to the network. It's educational to set up ftp, http, and login servers on your own computer; and it is useful, too. You can do most of your work from your own computer, and then login from anywhere on campus for demos. You can always go look up an old email message, even if you aren't in your room. And, if you really have some spare time, you could play with writing your *own* network software, on a system where security isn't so critical. Some firewalling, alas, does seem like quite a good idea. Is it true that Windows95 really likes to export its filesystems world-writable? Maybe a good medium between security and user-convenience would be to firewall the heck out of the network, but to allow certain IP addresses to request full (though dangerous) service? Does this be feasible? Lex -------- From academic-firewalls-owner@net.tamu.edu Fri Oct 18 08:59:49 1996 X-Mailer: Worldtalk (NetConnex V4.00a)/MIME Date: Fri, 18 Oct 1996 09:51:00 -0500 From: "Davidson, Clyde" To: academic-firewalls@net.tamu.edu Subject: RE: I see said the blind man Since no one else answered the Novell question... The Internet uses the TCP/IP protocol and NetWare uses the IPX/SPX protocol. Therefore, no NetWare traffic can travel on the Internet or go through the firewall. (I suppose you could have an internal NetWare firewall, but I've never seen it.) The only way that IPX traffic could go through the firewall and onto the Internet would be with IP tunneling. However, putting IPX packets inside IP packets means that it is controlled by the firewall as IP. Then the firewall can control what gets to the other end of the tunnel. Once the other end of the tunnel strips off the IP packet, it becomes a regular IPX packet that the firewall doesn't understand. From a user's point of view, they have both the IPX and the IP stacks and can talk to either system. Clyde Davidson Data Security Coordinator NMH ---------- From: Tim Miley[SMTP:tmiley@yakko.cs.wmich.edu] Sent: Thursday, October 17, 1996 8:21 PM To: academic-firewalls Subject: I see said the blind man I guess I was under the impression that a firewall totally blocked packets from the internal network, forcing the network user to actually connect to the firewall to addresss the outside net, virtually blocking the local net from the outside world. Can a firewall selectively filter packets that, for example, are aimed at a Novell server, without blocking the Novell user's ability to access the net. For example: Internet |---(Novell control packet)-->||Firewall|| Lan user Internet |---(HTTP transfer packet)--->||Firewall||----> Lan user Tim -------- From academic-firewalls-owner@net.tamu.edu Fri Oct 18 09:40:03 1996 Date: Fri, 18 Oct 1996 09:32:58 -0500 From: Martin Wolske To: academic-firewalls@net.tamu.edu Subject: Re: Academic firewalls In message you write: >In the acedemic environment (and you will be a target), play the >sandbox game. Set up a machine that allows your users to play in, >easy to break into, and get bored to find a harder site. Make sure >you track the attempts and log them (just in case). > >You will find that the "crackers" get tired rapidly and tell all their >friends that breaking into YOUR site is boring and easy so there is >no challenge. They will then try and hit something like a freenet >box to solve their thirst in hacking. > And what makes us freenet's a better target? Maybe we just play the "sandbox game" too :) Seriously, though, by implication setting up a machine to allow users to play in would suggest you have many others that are harder to break into. Why wouldn't the cracker realize this and try to break into those more challenging aspects of your network? I actually have a motive behind that question. So far, our entire freenet network has really been the sandbox. And generally we've not been hurt too bad by all the hackers who have chosen to play on our system, in part I would guess because it isn't too much of a challenge. I'm now planning on setting up a Cisco router independent of the Univ. of IL, whose network we are a part, to act as a packet filter. This will allow me to segment off certain servers, increasing security on these systems. But in the back of my mind, alarms are warning that I'm now creating a tempting hacker environment. Any thoughts out there on this? - - -- Martin --------------------------------------------------------------------------- Martin Wolske, Prairienet Systems Administrator LIS Building, 501 E. Daniel, Champaign, IL 61820 Email: mwolske@prairienet.org URL: http://www.prairienet.org/~mwolske/ --------------------------------------------------------------------------- -------- From academic-firewalls-owner@net.tamu.edu Fri Oct 18 09:44:34 1996 In-Reply-To: <199610181305.JAA01139@cyclorama.engin.umich.edu> from "Paul Howell" at Oct 18, 96 09:05:21 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Date: Fri, 18 Oct 1996 07:39:19 -0700 (PDT) From: Peter Van Epp To: academic-firewalls@net.tamu.edu Subject: Re: Academic firewalls > > > Elliot Lee writes: > > Here are a few things that I would think apply to traffic that should be > > blocked: > > > > - Attempting to use many different services in a short period of time. > > (Portscanning) > > > > - Attempting to access many different hosts in a short period of time. > > (Another form of portscanning) > > > > - Attempting to access *anything* to an extreme - for example more than X% > > of bandwidth or packets from a source outside of your own network. > > > > Now that handles some cases, but what about someone using ypsnarf to get > > your NIS domain (if you use NIS, that is...) > > > > I think a service-by-service review might be best in cases like this... > > > > BTW if anyone has any ideas for firewalls, or just increasing security in > > general, in an academic environment, please pass them on to me - they > > are needed :-) > > > > Thanks, > > -- Elliot > > > > http://www.redhat.com/ > > > > > > While the original poster may have been considering content, I'd like > to address another issue which is research. Say for example you're > an EECS grad student at a university which encourages you to experiment, > investigate, and try out new things. > > With that as the background, a student wishing to experiment and > conduct investigations which mean no harm and are not malicious in > nature, may trigger negative responses based on a pattern that > may also appear in attempted breakins. > > Experimenting and breaking in are two very different items. Blocking > traffic may hinder experimentation in a wide variety of legitimate > areas, thus hindering a university's interests. > > It seems to me that putting firewalls up in a univeristy may be > a fine idea, if you don't have any students that you're asking to > experiment with new ideas/protocols/etc.. > > Thanks. > > Paul Howell > Manager, Systems Group > Computer Aided Engineering Network, The University of Michigan > 2281 Bonisteel Drive - 1315b Media Union voice: (313)936-2486 > Ann Arbor, MI 48109-2094 fax: (313)936-3107 > -------- From academic-firewalls-owner@net.tamu.edu Fri Oct 18 09:52:37 1996 In-Reply-To: <199610181305.JAA01139@cyclorama.engin.umich.edu> from "Paul Howell" at Oct 18, 96 09:05:21 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Date: Fri, 18 Oct 1996 07:47:42 -0700 (PDT) From: Peter Van Epp To: academic-firewalls@net.tamu.edu Subject: Re: Academic firewalls First, sorry for the previous empty one, finger trouble changing the To: line to the list :-( The difference between an student doing protocol work or experimenting with breaking in and a cracker is authorization. If the student has previous authorization to do that they are doing, then that fact that they trip the cracking alarms is irrelevant (and likely a good test that the cracking alarms do in fact work properly!). If they don't have the appropriate permissions, then they indeed are cracking, not doing authorized and approved work. This may mean doing it to a machine inside the firewall because the fire wall would block the attempt to do it from outside, but it really is an issue of policy, appropriate approvals and courtesy towards the sys admin of the system that is being "experimented" on not anything to do with the implementation of the firewall. Peter Van Epp / Operations and Technical Support Simon Fraser University, Burnaby, B.C. Canada > > While the original poster may have been considering content, I'd like > to address another issue which is research. Say for example you're > an EECS grad student at a university which encourages you to experiment, > investigate, and try out new things. > > With that as the background, a student wishing to experiment and > conduct investigations which mean no harm and are not malicious in > nature, may trigger negative responses based on a pattern that > may also appear in attempted breakins. > > Experimenting and breaking in are two very different items. Blocking > traffic may hinder experimentation in a wide variety of legitimate > areas, thus hindering a university's interests. > > It seems to me that putting firewalls up in a univeristy may be > a fine idea, if you don't have any students that you're asking to > experiment with new ideas/protocols/etc.. > > Thanks. > > Paul Howell > Manager, Systems Group > Computer Aided Engineering Network, The University of Michigan > 2281 Bonisteel Drive - 1315b Media Union voice: (313)936-2486 > Ann Arbor, MI 48109-2094 fax: (313)936-3107 > -------- From academic-firewalls-owner@net.tamu.edu Fri Oct 18 10:09:30 1996 In-Reply-To: <199610180115.VAA22876@qlink.queensu.ca> from "Kevin Everets" at Oct 17, 96 09:15:31 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Date: Fri, 18 Oct 1996 08:03:49 -0700 (PDT) From: Peter Van Epp To: academic-firewalls@net.tamu.edu Subject: Re: Academic firewalls and Residence Rooms One of the most valuable things (which I haven't seen mentioned yet) is to provision the dorms with 10baseT drops that come back to a "blanking hub". A "blanking hub" (it probably has a proper name but I don't know it :-) ) detects the source and destination ports for each packet and ships it to those ports unchanged. All other ports on the hub get the headers of the packet unchanged but the data blanked (or I think on some hubs get a jam signal when the packet is transitting the network). On at least some Cabletron hubs this is an around $200 option. It buys the student in the dorm security against packet sniffing by their fellow students or outside crackers that have broken in to a machine. I expect that lots of academic sites still use reusable passwords which are subject to sniffer attacks simply because the cost of implementing one of the one time password systems is too high. Peter Van Epp / Operations and Technical Support Simon Fraser University, Burnaby, B.C. Canada > > But moving on... My question deals with what is happening at the > University I am currently attending, as well as many other University > settings that I know of. We have the pleasure of being linked > directly to the University network through Ethernet cards in our > Residence rooms (that is to say our own computers are being hooked up > to allow access to the internet as a whole, among other computers). > A question then arises as to the security of this for not only the > University's computers, but for the computers of the students. What > is the best implementation of a firewall to protect the individuals > without disturbing the community as a whole? > > Just curious... > > Kevin Everets. > -------- From academic-firewalls-owner@net.tamu.edu Fri Oct 18 10:59:56 1996 X-MS-TNEF-Correlator: X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 Encoding: 58 TEXT, 63 UUENCODE X-MS-Attachment: WINMAIL.DAT 0 00-00-1980 00:00 Date: Fri, 18 Oct 1996 08:35:04 -0700 From: "Schmidt, Bill (MSED)" To: academic-firewalls@net.tamu.edu Subject: RE: Suggestion: A moderator I can't say any pros or cons about the Sidewinder for NT, but for a while, I'm going to be cautious about ANY Firewall that is based on NT. I'm a Microsoft Certified Systems Engineer (big deal!) and involved in network and computer security. I question Microsoft's willingness to let us know about "holes" in the NT operating system that exist now, and those that may appear in the future. Microsoft barely will admit even obvious bugs. I don't see them being very customer oriented. Firewall administrators will need fixes to bugs quickly, not a year after the media gets hold of it. I also wonder if Microsoft's only response to a "hole" would be, "your problem - not mine". That said, the Army, and government in general, is migrating many users and systems to NT. If we install UNIX-based Firewalls, we need both UNIX and NT administrators. Though the two operating systems may not be that difficult to administer, administering one OS instead of two is easier.....fewer books to keep, fewer software upgrades, fewer support contracts, etc.. Also, UNIX types often don't want anything to do with NT, and NT types don't want to have to use UNIX. I don't mean to bash Microsoft. I enjoy Windows 95, NT, my Sparc 2 (UNIX), and my Mac. Surprisingly, of all the three, the Mac is the most stable! I enjoy Win 95 and NT for the challenge of keeping them operating! The Sparc 2 is good too, but since I need the many "office" programs like Word, Excell, etc., I also need Microsoft's products. Enough babbling from me. It's nice to see some conversation here. Bill - ---------- From: backlash@primenet.com[SMTP:backlash@primenet.com] Sent: Thursday, October 17, 1996 2:59 PM To: academic-firewalls@net.tamu.edu Cc: academic-firewalls@net.tamu.edu Subject: Re: Suggestion: A moderator At 11:13 AM 10/17/96 -0500, Dark_Skye wrote: >On Wed, 16 Oct 1996, Tim Miley wrote: > >> >> I just got something from NaturePlus addressed from academic firewalls. >> Methinks the group needs a moderator... >> >> ...and given the low traffic, participants and discussion would be a plus. >> >> Tim >> Hell I almost forgot that I even subsribed to this mailing list its been so long sence I got a message from it. Anyone here anything about the SideWinder Firewall for NT? backlash@primenet.com begin 600 WINMAIL.DAT M>)\^(CH/`0:0" `$```````!``$``0>0!@`(````Y 0```````#H``$(@ <` M& ```$E032Y-:6-R;W-O9G0@36%I;"Y.;W1E`#$(`0F `0`A````-3%!,D(X M0S!"1#(X1# Q,4)#034T-#0U-3,U-# P,# `Z08!(( #``X```#,!PH`$@`( M`"8`.0`%`%L!`06 `P`.````S <*`!(`" `C``0`!0`C`0$-@ 0``@````(` M`@`!!( !`!P```!213H@4W5G9V5S=&EO;CH@02!M;V1E`' ``0```!P```!213H@ M4W5G9V5S=&EO;CH@02!M;V1E\YP+BB M4BB]$="\I41%4U0``````P`&$#0`K&H#``<0&@<``!X`"! !````90```$E# M04Y44T%904Y94%)/4T]20T].4T%"3U545$A%4TE$15=)3D1%4D9/4DY4+$)5 M5$9/4D%72$E,12Q)34=/24Y'5$]"14-!551)3U5304)/551!3EE&25)%5T%, M3%1(051)4T(``````P`0$ `````#`!$0``````(!"1 !````,0<``"T'```[ M# ``3%I&=7*?,]__``H!#P(5`J0#Y 7K`H,`4!,#5 (`8V@*P'-E=.XR!@`& MPP*#,@/&!Q,"@[HS$PU]"H (SPG9.Q7_>#(U-0* "H$-L0M@;O!G,3 S%" + M"A+R# %"8P! ($D@8P!P)V$%0'-A>2 `8$DG;2!G M;_4+@&<=`&\> M<&$1\&0<( .@'D#,+B ?@Q\`36D%`!P`LF\!@"!#!) @P&8(D$,C$ :P %P"AB:2 02."(''?"E E<"#0`Z D%R<$( /P_R(@ M'_$F$ 01(#$?4 5 (/&8:VYO!^ =`A^P(& ?\OTGL'(;@"F0)7 #8"T`ZP5 'P!Y,C)A`8 =T1T2 M_0> 9 8"*A M-/ )P/\O! .!&X @\ 20')$G,2]D]RPS(V0_8'<=, N )7 B$F!53DE8+2+4 M(<9S_QY@3%$[0P;@'1!,\R<3+I'O.@PC@49@"&!G3Q =$BA!_RZ_27$;<3T" M(&$B4SYP#=#_)"!#8!SQ0I$Z%020,+%4]_0D^%7E1?&2 Q$<#_)[ @(DJ!3/-%?39V M!X #D3\@,B+@3Q D%RGS"?!J;YT;@%<=H2T0!" Y-1Y@3QY"1W &``JQ8R 2 M("AM30(I,+1H<4T`T".!4_\('2 ?R(@710?<3_D.T,JVAOA9+YU7.%%?27042,BT&("8/\? M\@-2/D$C@BM2`P!T@2 Q_S;R)& '@!Q2-^$;8"J#'2#[,R%%C$(TDB.018P* M]"O "#$X, +1:2TQ-)XT#? ,T(*C"UDQ-@J@_P-@)8!S:35"'1(5D ?@ M.G%4,O<>8 JQ(,!C!2!?@4K$/G#_!/ @\ "0(S%#1A[Q"U @\-^V?ZXB!V&\ M;PJ%2'>Q/\-_;6,>`:]R(E-F\35"7 !B_G,%$"!@_ M"H4=4F=R'=$AQQX$/T6,_XL_BI*DOZ7.&C6$1@J%%2$"`-"@`````P`V```` M```#`"8```````(!^3\!````'@````````#`````````-RG0,C 0A :M+D(`"LOX8(!`````````"X````> M`/H_`0```!4```!3>7-T96T@061M:6YI] MNP% ``@PT"&A>0J]NP$#``TT_3\```(!%#0!````$ ```%24H< I?Q ;I8<( M`"LJ)1<>`#T``0````4```!213H@``````L`*0``````"P`C```````"`7\` M`0```$<````\8SU54R5A/5\E<#U/4D=!3DE:051)3TXE;#U!4T,O2%%!4T,O E,# P,$4S1#= :'5A8VAU8V$M96UH,3(N87)M>2YM:6P^```)_D,O ` end -------- From academic-firewalls-owner@net.tamu.edu Fri Oct 18 11:44:02 1996 Cc: academic-firewalls@net.tamu.edu X-Mailer: TkMail 4.0beta6 In-Reply-To: Date: Fri, 18 Oct 1996 11:38:37 -0500 From: Doug Hughes To: academic-firewalls@net.tamu.edu Subject: RE: Suggestion: A moderator >I'm new to network security work, but here are a few things I'd like to be >aware of: >I'd like to know when someone attempts an ftp "put" (or mput), when only >"get" is authorized for the IP address of the ftp server. We use logdaemon ftpd which has good logs.. Just grep for 'PUT' > I'd also like to >know if someone attempts a tftp operation. We use traps (klaxon,tocsin) for this sort of thing > I'd like to know if someone is >trying to log on remotely to any server as "root", "admin", and >"administrator". tcp_wrappers again. > I'd like to know when someone is trying to modify any >"pre-defined" files on any server. That's a job for tripwire (COAST archives) > I'd like to know when modifications are >attempted via SNMP. I use tocsin for that (SunOS/Solaris only at the present time unless somebody is willing to port from NIT/DLPI) One thing I'd like to have is a smart program that detects well-known attacks of various types simply by watching the network.. It would decode, analyze, detect, and alarm for rdist attacks, sendmail attacks, etc. This would probably end up being a very sophisticated program! :) - -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu -------- From academic-firewalls-owner@net.tamu.edu Fri Oct 18 12:00:14 1996 X-Mailer: TkMail 4.0beta6 In-Reply-To: <199610181503.IAA18293@fraser> Date: Fri, 18 Oct 1996 11:54:34 -0500 From: Doug Hughes To: academic-firewalls@net.tamu.edu Subject: Re: Academic firewalls and Residence Rooms > One of the most valuable things (which I haven't seen mentioned yet) >is to provision the dorms with 10baseT drops that come back to a "blanking >hub". A "blanking hub" (it probably has a proper name but I don't know it :-) ) >detects the source and destination ports for each packet and ships it to those >ports unchanged. All other ports on the hub get the headers of the packet >unchanged but the data blanked (or I think on some hubs get a jam signal when >the packet is transitting the network). On at least some Cabletron hubs this >is an around $200 option. It buys the student in the dorm security against >packet sniffing by their fellow students or outside crackers that have broken >in to a machine. I expect that lots of academic sites still use reusable >passwords which are subject to sniffer attacks simply because the cost of >implementing one of the one time password systems is too high. > Agreed. We have HP AdvanceStack hubs. They provide this capability too in various forms. You can have it send an alarm when the hardware address on the port changes, you can have it do nothing. You can have it shutdown the port and send an alarm. In 'do nothing' mode, it sees all packets for the subnet of the hub. In security mode (send alarm, shutdown port) it only sees packets destined to 'its' hardware address. Everything else is scrambled/blanked. It's a good option for sensitive subnets where people may be tempted to plug in a laptop or other machine without authorization. You then have a machine setup somewhere that receives the traps so that you know when something has occurred that you might want to investigate. - -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu -------- From academic-firewalls-owner@net.tamu.edu Fri Oct 18 12:24:40 1996 Cc: academic-firewalls@net.tamu.edu In-Reply-To: <199610172158.QAA28832@banach.math.purdue.edu>; from "sjh@MATH.Purdue.EDU" at Oct 17, 96 4:58 pm X-Mailer: ELM [version 2.3 PL11] Date: Fri, 18 Oct 96 11:17:08 MDT From: woods@ucar.edu (Greg Woods) To: academic-firewalls@net.tamu.edu Subject: Re: Academic firewalls\] > > Greg Woods wrote: > > > > > The University has always been a place of free exchange of ideas and > > > communication. The internet has helped greatly. The problem with Inter > > net > > > Firewalls at academic institutions, as I see them, are the fact that the > > y can > > > easily squelch free expression in the interests of security. > > > > To be honest, I really don't see what you're getting at here. Firewalls > > do not let some things through and block others based on content. You > > could have a *policy* that says you can't http to playboy.com, and you > > could say that is suppressing free expression maybe, but in that case, > > it's the policy, not the firewall, that's doing the suppressing. I don't > > think the mere existence of a firewall constitutes stifling of free > > expression. > > > > --Greg > > I'm not sure if the original poster had this in mind, but I > interpreted the message as addressing the problem that we would have > with a firewall, if we understand it correctly (and that is not > certain). We have the impression that to get the best security from a > firewall certain services from our hosts would be blocked to access > from hosts outside of our subnet. Those services might include telnet > and rlogin (a policy decision, to be sure, but a reasonable one). If > that is the case our faculty, who travel to many unpredictable places > throughout the world, would have "difficulty" logging in from there to > here. Difficulty is a subjective term, in that what is difficult for > some faculty would not be a problem for others. What kinds of > difficulties would they experience? Would it just be a matter of > obtaining authentication on the firewall before doing an rlogin to a > host behind the firewall? > > Ftp and http would probably be allowed only to a machine set up for > that purpose on a host on the outside of the firewall. Would that > cause problems for those using hosts behind the firewall in updating > their home pages? > > If one certain faculty member who does image compression research > wanted to ftp images from here to where he happens to be in Europe or > do whatever magic he has to do to get the images to the ftp > host, then ftp them to his location? With several tens of megabytes > that might be "too difficult". Eh? > > This might be construed as limiting the free exchange of ideas and > communication. I don't buy that interpretation. There is a world of difference between making something difficult in the name of security, and making it impossible in the name of controlling user activity. I'm sure lots of users will whine about restrictions and *claim* that their "free expression" is being "suppressed", but that doesn't make it so. The truth is, things have changed. Not even academic sites can survive in a totally open envirnment any more; there are simply too many people out there who will take advantage of it. I also have no doubt that the same users who whine about "restricting free expression" will be the same ones who whine when the hackers bring down their server and ask you why you didn't do anything to stop them. No doubt they will also claim that their server being down is stifling their free expression too. You can't win. You have to get the users to see that security is necessary. I know it's hard; I haven't had much luck here yet either. But you can't let the impression that new security measures are stifling free expression go unchallenged, when that isn't the intent or effect of it at all. - --Greg -------- From academic-firewalls-owner@net.tamu.edu Fri Oct 18 12:47:00 1996 X-MS-TNEF-Correlator: X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 Encoding: 65 TEXT, 56 UUENCODE X-MS-Attachment: WINMAIL.DAT 0 00-00-1980 00:00 Date: Fri, 18 Oct 1996 10:34:53 -0700 From: "Schmidt, Bill (MSED)" To: academic-firewalls@net.tamu.edu Subject: RE: I see said the blind man ON Technology Corp makes a combination IP and IPX firewall. Check it out (and other NCSA certified Firewalls) at http://www.ncsa.com/fpfs/fwindex.html Bill Schmidt - ---------- From: Davidson, Clyde[SMTP:CDAVIDSO@IS.NMH.NMH.ORG] Sent: Friday, October 18, 1996 7:51 AM To: academic-firewalls@net.tamu.edu Subject: RE: I see said the blind man Since no one else answered the Novell question... The Internet uses the TCP/IP protocol and NetWare uses the IPX/SPX protocol. Therefore, no NetWare traffic can travel on the Internet or go through the firewall. (I suppose you could have an internal NetWare firewall, but I've never seen it.) The only way that IPX traffic could go through the firewall and onto the Internet would be with IP tunneling. However, putting IPX packets inside IP packets means that it is controlled by the firewall as IP. Then the firewall can control what gets to the other end of the tunnel. Once the other end of the tunnel strips off the IP packet, it becomes a regular IPX packet that the firewall doesn't understand. From a user's point of view, they have both the IPX and the IP stacks and can talk to either system. Clyde Davidson Data Security Coordinator NMH ---------- From: Tim Miley[SMTP:tmiley@yakko.cs.wmich.edu] Sent: Thursday, October 17, 1996 8:21 PM To: academic-firewalls Subject: I see said the blind man I guess I was under the impression that a firewall totally blocked packets from the internal network, forcing the network user to actually connect to the firewall to addresss the outside net, virtually blocking the local net from the outside world. Can a firewall selectively filter packets that, for example, are aimed at a Novell server, without blocking the Novell user's ability to access the net. For example: Internet |---(Novell control packet)-->||Firewall|| Lan user Internet |---(HTTP transfer packet)--->||Firewall||----> Lan user Tim begin 600 WINMAIL.DAT M>)\^(C 1`0:0" `$```````!``$``0>0!@`(````Y 0```````#H``$(@ <` M& ```$E032Y-:6-R;W-O9G0@36%I;"Y.;W1E`#$(`0F `0`A````0S)!1C-! M-D-#.#(X1# Q,4)#034T-#0U-3,U-# P,# ``0L"@P!0$P-4`@!C: K 2 (4'*4<" `P&L'D6$@!: C M!M +@&%T:0(@($D24!Q@;F0=05@@9HII%@!W!T!L+B ;L.)H!9!K(&D%0 A@ M!4 R*!V";W0>P 7 3D-\4T$<@ 20'0`>``F (+)&'A5S*1Q@!4!H`D @<#HO M+W2\P M3RG ;V(@`2=0`2\P,3DY-B W.C(U&L!!33&/*ZU4;SM214 `27H@$?!E0C + M@$L!%@`"$!8`+S#C1W%-IG1R80W0/ `<@'\#D5'!22%'D4YD2U8%L6>/ M1X!/-Q_@`V!U9VA"PX4>""A"(75P<&](`>9Y"& <@75L': 1P$D@_QUQ'P!+ M4P= 39=/-QX&+S#R8A]122=7L3S022 %P']"05?Q// AL$L"`B O8"#_'D ; MH!_@(=$=PE''5T-4+]]5/1US`B%'@%,K=U=#-F"/7& ?$%5 '5%T=6X\T,U# M(6<>@22V2&](8%L!_2\PX/\2``0@"X `D VP'4)E-@> M_P8B7+,?$00`3R@%H (P`V#['F @\6)6&"D']0)\!^Q9D+#8J3]'H!/1S)MWV[H0C!1P 4@_V?);K!NQ&8G M+S ?$39@')'['$,6`&=74 K!9/A&$> MX!Q1'9%GZ%)2!T >\.U@D65B,5L2>4F@.^!*';\O4RZG"H4NL &0!E%C"''V M=!NB!;!D'-(%L J%,,'_)%P*A2GO+(4;``=P!= #$$][D"^D)""(`D!Y'"!K MHF\B\',N=SOQ:#U2KS%V,X1*\0AP6.:([G_\AD$:F M/Z9"'T,O)'J0,'30_P>0:C%<800@>!.0TP=P*7#_DT$=$ERS''!?IS9 ?Q%< M0?\"8$T0'#!^*64U648#85YWSY1A6"8\T6&0`&Q+8>]E)URR MFI-'T'@]( M04.&_3>(+< > ': AT4\W880V_TD4>B%D(V(B'T*A6TD%>A7_ M`: #$(-"G$,@@)]U3S<\TGMXS:EX.I&_A>.0$4M6?%V&,2A)!6OV930IAC ^ MO'Q\(2:V\+1"'I!,`Y'G>A*S?[2,2%0OT%&R`(#>9JA7MK&VW(8R/K@/2J6_ M!W!$'RAW&C5&+14A`,(``P`V```````#`"8```````(!^3\!````'@`````` M``#`````````-RG0,C 0A : MM+D(`"LOX8(!`````````"X````>`/H_`0```!4```!3>7-T96T@061M:6YI M`#T``0````4```!213H@```` M``L`*0``````"P`C```````"`7\``0```$<````\8SU54R5A/5\E<#U/4D=! M3DE:051)3TXE;#U!4T,O2%%!4T,O,# P,$4X-C% :'5A8VAU8V$M96UH,3(N - -87)M>2YM:6P^``")E4,O ` end -------- From academic-firewalls-owner@net.tamu.edu Fri Oct 18 13:12:05 1996 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Fri, 18 Oct 1996 10:38:00 +0000 From: NW-CORP!PBolduc@nrthwood.attmail.com (Phil Bolduc) To: academic-firewalls@net.tamu.edu Subject: Academic Firewalls listserv address? Hello, I subscribed to this list about a year and a half ago. Now I would like to get off it. However, I have lost the LISTSERV address. Could someone post it for me so I am get off this list. Thanx Phil Bolduc -------- From academic-firewalls-owner@net.tamu.edu Fri Oct 18 13:22:21 1996 X-Sender: hendrtw@mallard cc: academic-firewalls@net.tamu.edu In-Reply-To: <12414.9610180909@gmap.leeds.ac.uk> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Date: Fri, 18 Oct 1996 13:10:29 -0500 (CDT) From: Dark_Skye To: academic-firewalls@net.tamu.edu Subject: Re: Academic firewalls and Residence Rooms On Fri, 18 Oct 1996, Danny Cox wrote: > > But moving on... My question deals with what is happening at the > > University I am currently attending, as well as many other University > > settings that I know of. We have the pleasure of being linked > > directly to the University network through Ethernet cards in our > > Residence rooms (that is to say our own computers are being hooked up > > to allow access to the internet as a whole, among other computers). > > A question then arises as to the security of this for not only the > > University's computers, but for the computers of the students. What > > is the best implementation of a firewall to protect the individuals > > without disturbing the community as a whole? > > Howsabout placing all these student machines on one network or subnetwork > and firewalling them off from the rest of the university? It means that > they're vulnerable to each other of course, but not to the rest of the uni. > ...and we all know that students would NEVER bother other students' stuff....can anyone tell me how to get the orange book....without buying one from the government....(Trusted Networks if yer colour blind)....of any other kewl networking books.... thanks loads, Dark_Skye [ OOOOOOOOOOOOO[>>>>>>>>>>>>>>>>>>>>>>>>>>> [ "...and remember, life is sexually transmitted" "Blood and Perie GODDAMN IT!" -------- From academic-firewalls-owner@net.tamu.edu Fri Oct 18 13:51:39 1996 X-Sender: angel005@maroon.tc.umn.edu X-Mailer: Windows Eudora Light Version 1.5.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Fri, 18 Oct 1996 13:41:03 -0500 From: Patricia Angell To: academic-firewalls@net.tamu.edu Subject: Re: Academic firewalls At 09:05 AM 10/18/96 -0400, Paul Howell wrote: > >Experimenting and breaking in are two very different items. Blocking >traffic may hinder experimentation in a wide variety of legitimate >areas, thus hindering a university's interests. > >It seems to me that putting firewalls up in a univeristy may be >a fine idea, if you don't have any students that you're asking to >experiment with new ideas/protocols/etc.. > At the other end of the spectrum are university hospitals and clinics providing patient care who need to protect patient confidentiality. Or student health services needing to do likewise..... -------- From academic-firewalls-owner@net.tamu.edu Fri Oct 18 14:34:43 1996 cc: academic-firewalls@net.tamu.edu In-reply-to: Your message of Fri, 18 Oct 1996 07:47:42 -0700. Date: Fri, 18 Oct 1996 15:25:01 -0400 From: Paul Howell To: academic-firewalls@net.tamu.edu Subject: Re: Academic firewalls > This may mean doing it to a machine inside the firewall because the > fire wall would block the attempt to do it from outside, but it really is an > issue of policy, appropriate approvals and courtesy towards the sys admin of > the system that is being "experimented" on not anything to do with the > implementation of the firewall. The problem with this is if there is collaboration between institutions, then a firewall may get in the way. If one site is using a firewall to block these "signature" connections which are not part of any breakin, then people are denied the ability to experiment. Paul Howell Manager, Systems Group Computer Aided Engineering Network, The University of Michigan 2281 Bonisteel Drive - 1315b Media Union voice: (313)936-2486 Ann Arbor, MI 48109-2094 fax: (313)936-3107 -------- From academic-firewalls-owner@net.tamu.edu Fri Oct 18 17:23:52 1996 X-Sender: mmgall@admin Cc: academic-firewalls@net.tamu.edu In-Reply-To: <199610181503.IAA18293@fraser> Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Date: Fri, 18 Oct 1996 18:09:48 -0400 (EDT) From: Morris Galloway To: academic-firewalls@net.tamu.edu Subject: Re: Academic firewalls and Residence Rooms On Fri, 18 Oct 1996, Peter Van Epp wrote: > One of the most valuable things (which I haven't seen mentioned yet) > is to provision the dorms with 10baseT drops that come back to a "blanking > hub". A "blanking hub" (it probably has a proper name but I don't know it :-) ) > detects the source and destination ports for each packet and ships it to those > ports unchanged. All other ports on the hub get the headers of the packet > unchanged but the data blanked (or I think on some hubs get a jam signal when > the packet is transitting the network). On at least some Cabletron hubs this > is an around $200 option. 3com hubs have a similar feature, which they call "need-to-know". Broadcast traffic goes to all ports. Other traffic not intented for the MAC address attached to a given port goes through with headers in the clear, and "garbage" of equal length in the data portion. This, as I understand it, preserves the collision domain, but defeats sniffing. It is not the default; it must be turned on. We tried in with a Network General Sniffer salesman, and it seems to work. Predictions of switching costs dropping rapidly may make switching to the desktop a good solution by next summer -- again, so I hear. Comments, anyone? Morris Galloway Jr. Internet: mmgall@presby.edu Dean, Administrative Services Phone: 1-864-833-8217 Presbyterian College 503 S. Broad St. Clinton, SC 29325 USA Visit PC: http://www.presby.edu/ Personal: http://web.presby.edu/~mmgall/ -------- From academic-firewalls-owner@net.tamu.edu Fri Oct 18 17:44:24 1996 In-Reply-To: from "Morris Galloway" at Oct 18, 96 06:09:48 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Date: Fri, 18 Oct 1996 15:38:19 -0700 (PDT) From: Peter Van Epp To: academic-firewalls@net.tamu.edu Subject: Re: Academic firewalls and Residence Rooms > > Predictions of switching costs dropping rapidly may make switching to the > desktop a good solution by next summer -- again, so I hear. Comments, > anyone? > We have just dropped in an ATM fabric as the campus backbone and the edge routers provide Ethernet switching between ports. That allows the current shared Ethernet segment for those that don't need the bandwith but allows dedicating a switched, potentially full duplex Ethernet to a drop as the first step towards higher bandwith and still allows the option of pulling fibre and replacing that with a native ATM OC3 (155 meg) connection to the desktop. We expect that the latter two solutions will be only a handful of the 5000+ drops on the campus lan (but if we turn out to be wrong the infrastructure is there to provide as much bandwith as people can use and/or pay for). Peter Van Epp / Operations and Technical Support Simon Fraser University, Burnaby, B.C. Canada -------- From academic-firewalls-owner@net.tamu.edu Fri Oct 18 19:19:16 1996 Comments: Authenticated sender is Organization: hal-pc.org MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT CC: academic-firewalls@net.tamu.edu X-Confirm-Reading-To: "robertp@hal-pc.org" X-pmrqc: 1 X-mailer: Pegasus Mail for Windows (v2.01) Date: Fri, 18 Oct 1996 19:06:42 +0000 From: "robertp@hal-pc.org" To: academic-firewalls@net.tamu.edu Subject: Re: Academic firewalls and Residence Rooms > On Fri, 18 Oct 1996, Danny Cox wrote: > > > > But moving on... My question deals with what is happening at the > > > University I am currently attending, as well as many other University > > > settings that I know of. We have the pleasure of being linked .....Snip Snip > > > > Howsabout placing all these student machines on one network or subnetwork > > and firewalling them off from the rest of the university? It means that > > they're vulnerable to each other of course, but not to the rest of the uni. > > > ...and we all know that students would NEVER bother other students' > stuff....can anyone tell me how to get the orange book....without buying > one from the government....(Trusted Networks if yer colour blind)....of > any other kewl networking books.... > > thanks loads, > Dark_Skye > [ The trusted networks document is the "Red Book" (NCSC-TG-005 Trusted Network Interpretation" dated 31 July, 1987. The Orange Book is DOD 5200.28.STD Department of Defense Trusted Computer System Evaluation Criteria, dated December 1985. You can FTP them from NIST - unfortunately, I do not have the address handy. Try one of the search engines. Regards Bob Plaumann It is difficult to say what is impossible for the dream of yesterday is the reality of tomorrow - Dr. Robert H. Goddard -------- From academic-firewalls-owner@net.tamu.edu Fri Oct 18 19:38:05 1996 X-Sender: dugsong@lukyduk.ifs.umich.edu cc: academic-firewalls@net.tamu.edu In-Reply-To: <199610171658.MAA17580@yakko.cs.wmich.edu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Date: Fri, 18 Oct 1996 20:32:09 -0400 (EDT) From: Douglas Song Reply-To: Douglas Song To: academic-firewalls@net.tamu.edu Subject: Re: Academic firewalls On Thu, 17 Oct 1996, Tim Miley wrote: > Can most firewall products selectively analyze network traffic on the fly > and determine what is and isn't legitimate uses? What do you block? The approach we take with our general-purpose Unix machines is more of an educational one - we disallow things, be we do not prohibit them. A typical firewall policy is to prohibit anything not expressly allowed. This doesn't make for a very open environment, though; it is a pain for a user to have to ask the firewall admin anytime they want a new proxy installed so they can just try out something like RealAudio, etc. Instead, we just monitor things very carefully, and educate users when we find abuses. Our staff and administrative machines are configured differently, but that's because we, as staff, are accustomed to being inconvenienced in the name of security. We can't expect that of our user population, though. Things we do: We sync our machines nightly using synctree, a homegrown program by Paul Howell that allows us to keep machine templates (classes) in AFS. On every machine, every night, synctree basically walks through the entire filesystem removing extraneous files, resetting permission bits, ownerships, or replacing files based on md5 checksum. It only takes about 15 minutes, and we get notified if a sync doesn't happen. We run IP filter (Darren Reed's packet-filtering kernel loadable module) on our machines to do some basic things (no incoming TCP SYN's to non-reserved ports from outside our network, etc.). This, in conjunction with synctree, allows us to have different packet filtering rules for different classes of hosts, regardless of what stretch of wire they're on. But no firewall, just some kernel-level packet filtering, and at the router. We do use a hacked version of smap as our SMTP proxy, though. All of our major authenticated network services (telnet, ftp, ssh, etc.) are AFS Kerberized. We don't really see a need to firewall our general purpose Unix machines, since we maintain good network and host security. Our telnet client notifies us when people connect to port 25 or 119 of a machine, and we will soon deploy encryption warnings in our telnet daemon and client (we have had to hold off on this to do some user education and notification). The default Mac telnet client in the campus computing sites is Kerberized, and does encryption by default. We hacked Kerberos and AFS support into SSH for those off-campus users who don't have Kerberized clients, but have access to SSH (Windows or Unix client). We do a lot of log monitoring and analysis. Daily log crunches give us a good idea of what's going on as well - DNS, mail, telnet, ftp, etc. We generate between 50-100 MB of logs a day, and use logsurfer for real-time monitoring and notification (much better than swatch, I've found). The log crunching is done currently with a suite of awk scripts, but we are now working on entering logs into an Oracle database for more sophisticated processing. We generate weekly usage graphs, and daily summary reports that tell us about things like: 1. FTP usage. Warez transfers (egrep -i '/\..*/.*\.zip' works well ;), sudden increases in logins to an account, logins from multiple foreign hosts, obscene amounts of data transferred, etc. 2. Login profiles. Logins from multiple foreign hosts, laundered telnets across hosts, failed logins, etc. 3. Mail usage. Fakemail (based on ident info), mail bombing, etc. 4. Backgrounded processes killed (IRC bots, rogue web/MUD/CU-SeeMe/FSP/chat/okbridge servers, etc.). This is per our usage policy, which we (sysadmins) don't determine. We do this with some scripts that use lsof. A firewall makes such auditing easier, but since all our machines are centrally maintained and configured via synctree, it's no problem to centralize our logging as well. We have no firewall on our residence hall subnets, either. To protect our users in the dorms from other evil sniffing residents, we provide a full suite of Kerberized applications in our "UM Connectivity Kit". While it is tempting to install a firewall for the dorms to protect our students from the Big Bad Internet, there's isn't a lot of concern since the large majority of students are Mac users, and if someone decides to set up a Unix box, they assume the risk themselves. Sorry this was so long. Good to see some traffic on this list... :-) - --- Douglas Song dugsong@{umich.edu,monkey.org} University of Michigan ITD GPCC Unix Services www: http://www-personal.umich.edu/~dugsong keyid: C2263445 fingerprint: BF F5 20 EA DA 2F C4 F4 7D 68 4A 50 E4 35 D1 17 -------- From academic-firewalls-owner@net.tamu.edu Fri Oct 18 20:13:39 1996 X-Sender: hendrtw@mallard cc: academic-firewalls@net.tamu.edu In-Reply-To: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Date: Fri, 18 Oct 1996 20:07:28 -0500 (CDT) From: Dark_Skye To: academic-firewalls@net.tamu.edu Subject: I'm sorry.... OK OK someone replyed to my meeger lil' msg....yet instead of citing the "orange book" as trusted DOD which I meant....I said trusted networks... please don't hate me...but is there a way to obtian good ol' hard copies without purchase thru uncle sam?? DOD = cell phones + internet + ADA + orange book Aparently ifing loopy, Dark_Skye "...and remember, life is sexually transmitted" "Blood and Perie GODDAMN IT!" -------- From academic-firewalls-owner@net.tamu.edu Sat Oct 19 10:34:42 1996 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Cc: academic-firewalls-owner@net.tamu.edu Date: Sat, 19 Oct 96 11:07 EDT From: micetrap@cyberenet.net (Steve) To: academic-firewalls@net.tamu.edu Please take me off of this mailing list! Someone maliciously added me and I am being flooded by your mail! -------- From academic-firewalls-owner@net.tamu.edu Sat Oct 19 12:19:22 1996 X-Sender: nozkan@limon cc: academic-firewalls@net.tamu.edu In-Reply-To: <32679C1D.2EA1@micro.se> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Date: Sat, 19 Oct 1996 20:06:35 +0300 (EET) From: Nihat Ozkan To: academic-firewalls@net.tamu.edu unsubscrive nozkan@bilkent.edu.tr -------- From academic-firewalls-owner@net.tamu.edu Sat Oct 19 13:39:28 1996 In-Reply-To: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Date: Sat, 19 Oct 1996 12:29:04 -0600 (MDT) From: Dave Grisham To: academic-firewalls@net.tamu.edu Subject: fire wall question! We are looking at fire wall options for a data warehouse. There is a plethora of vendors and products. Here is the rough concept: - ----- ------------------------------------ ----------- main| | fire > oracle web <| | web | frame|--| wall > server server<|--| clients | data | | > <| | | - ----- ------------------------------------ ----------- Does anyone have experience with a design like this? Cheers. --grish Dr. David D. Grisham, Security Admin. Phone (505) 277-8032 FAX 277-8101 Computer & Information Resources & Technology Internet dave@unm.edu Univ. of New Mexico, Albuquerque, NM 87131 http://www.unm.edu/~dave -------- From academic-firewalls-owner@net.tamu.edu Sat Oct 19 16:14:23 1996 Cc: X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Date: Sat, 19 Oct 1996 15:58:34 -0500 From: "Ruben " To: academic-firewalls@net.tamu.edu Subject: mailing list.... someone must have posted me on this list please remove my address. Thankyou. - ---------- > From: Douglas Song > To: academic-firewalls@net.tamu.edu > Cc: academic-firewalls@net.tamu.edu > Subject: Re: Academic firewalls > Date: Friday, October 18, 1996 7:32 PM > > On Thu, 17 Oct 1996, Tim Miley wrote: > > > Can most firewall products selectively analyze network traffic on the fly > > and determine what is and isn't legitimate uses? What do you block? > > The approach we take with our general-purpose Unix machines is more of an > educational one - we disallow things, be we do not prohibit them. A > typical firewall policy is to prohibit anything not expressly allowed. > This doesn't make for a very open environment, though; it is a pain for a > user to have to ask the firewall admin anytime they want a new proxy > installed so they can just try out something like RealAudio, etc. Instead, > we just monitor things very carefully, and educate users when we find > abuses. > > Our staff and administrative machines are configured differently, but > that's because we, as staff, are accustomed to being inconvenienced in the > name of security. We can't expect that of our user population, though. > > Things we do: > > We sync our machines nightly using synctree, a homegrown program by Paul > Howell that allows us to keep machine templates (classes) in AFS. On every > machine, every night, synctree basically walks through the entire > filesystem removing extraneous files, resetting permission bits, > ownerships, or replacing files based on md5 checksum. It only takes about > 15 minutes, and we get notified if a sync doesn't happen. > > We run IP filter (Darren Reed's packet-filtering kernel loadable module) > on our machines to do some basic things (no incoming TCP SYN's to > non-reserved ports from outside our network, etc.). This, in conjunction > with synctree, allows us to have different packet filtering rules for > different classes of hosts, regardless of what stretch of wire they're on. > But no firewall, just some kernel-level packet filtering, and at the > router. We do use a hacked version of smap as our SMTP proxy, though. > > All of our major authenticated network services (telnet, ftp, ssh, etc.) > are AFS Kerberized. We don't really see a need to firewall our general > purpose Unix machines, since we maintain good network and host security. > Our telnet client notifies us when people connect to port 25 or 119 of a > machine, and we will soon deploy encryption warnings in our telnet daemon > and client (we have had to hold off on this to do some user education and > notification). The default Mac telnet client in the campus computing > sites is Kerberized, and does encryption by default. We hacked Kerberos > and AFS support into SSH for those off-campus users who don't have > Kerberized clients, but have access to SSH (Windows or Unix client). > > We do a lot of log monitoring and analysis. Daily log crunches give us a > good idea of what's going on as well - DNS, mail, telnet, ftp, etc. We > generate between 50-100 MB of logs a day, and use logsurfer for real-time > monitoring and notification (much better than swatch, I've found). The log > crunching is done currently with a suite of awk scripts, but we are now > working on entering logs into an Oracle database for more sophisticated > processing. We generate weekly usage graphs, and daily summary reports > that tell us about things like: > > 1. FTP usage. Warez transfers (egrep -i '/\..*/.*\.zip' works well ;), > sudden increases in logins to an account, logins from multiple foreign > hosts, obscene amounts of data transferred, etc. > 2. Login profiles. Logins from multiple foreign hosts, laundered telnets > across hosts, failed logins, etc. > 3. Mail usage. Fakemail (based on ident info), mail bombing, etc. > 4. Backgrounded processes killed (IRC bots, rogue > web/MUD/CU-SeeMe/FSP/chat/okbridge servers, etc.). This is per our > usage policy, which we (sysadmins) don't determine. We do this with > some scripts that use lsof. > > A firewall makes such auditing easier, but since all our machines are > centrally maintained and configured via synctree, it's no problem to > centralize our logging as well. > > We have no firewall on our residence hall subnets, either. To protect our > users in the dorms from other evil sniffing residents, we provide a full > suite of Kerberized applications in our "UM Connectivity Kit". While it is > tempting to install a firewall for the dorms to protect our students from > the Big Bad Internet, there's isn't a lot of concern since the large > majority of students are Mac users, and if someone decides to set up a > Unix box, they assume the risk themselves. > > Sorry this was so long. Good to see some traffic on this list... :-) > > --- > Douglas Song dugsong@{umich.edu,monkey.org} > University of Michigan ITD GPCC Unix Services > www: http://www-personal.umich.edu/~dugsong > keyid: C2263445 fingerprint: BF F5 20 EA DA 2F C4 F4 7D 68 4A 50 E4 35 D1 17 > > > > > > > > > -------- From academic-firewalls-owner@net.tamu.edu Sat Oct 19 17:05:19 1996 cc: academic-firewalls@net.tamu.edu, academic-firewalls-owner@net.tamu.edu In-Reply-To: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Date: Sat, 19 Oct 1996 17:50:17 -0400 (EDT) From: Wearen Life To: academic-firewalls@net.tamu.edu Subject: Re: your mail please remove me also! On Sat, 19 Oct 1996, Steve wrote: > Please take me off of this mailing list! Someone maliciously added me and I > am being flooded by your mail! > > > -------- From academic-firewalls-owner@net.tamu.edu Sat Oct 19 18:06:26 1996 cc: academic-firewalls-owner@net.tamu.edu In-Reply-To: X-Mailer: EMBLA Lite 1.1 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Date: Sat, 19 Oct 1996 23:55:15 -0500 From: Peter Dahlman Reply-To: Peter Dahlman To: academic-firewalls@net.tamu.edu Subject: Re: academic-firewalls-owner@net.tamu.edu: > Please take me off of this mailing list! Someone maliciously added me and I > am being flooded by your mail! > > > > Please get me off this mailing list too!!! I WANNA GET OUTTA HERE! NOW!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! HELP!! -------- From academic-firewalls-owner@net.tamu.edu Sat Oct 19 19:18:26 1996 Cc: academic-firewalls@net.tamu.edu In-Reply-To: <199610171721.KAA13241@palouse.uidaho.edu> from "Jim Alves-Foss" at Oct 17, 96 10:21:54 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Date: Sat, 19 Oct 1996 17:08:28 -0700 (PDT) From: Nathan Lawson To: academic-firewalls@net.tamu.edu Subject: Re: Suggestion: A moderator > One question that has come up during the development discussions is: > What do people really want to know? >In otherword, when monitoring the activity of your site, what information is of > importance to you and what is not essential? > >In my case, I am primarily interested finding unauthroized servers and abnormal > remote logins. I DO NOT want to look at packet contents or content streams, > just want to find out the big picture of what is happening. Maybe even look at > failed login attempts and doorknob-style attacks. Currently, I am on leave from school while working at ISS. While here, I've developed a commercial product which does a lot of what you are interested in. All alpha and beta versions are freely available for download (see http://www.iss.net/RealSecure for details). The release versions will cost money, but hopefully the alpha/beta copies can give you some ideas of what you should be looking for. - -- Nate Lawson "There are a thousand hacking at the branches of CPE Senior evil to one who is striking at the root." CSL Admin -- Henry David Thoreau, 'Walden', 1854 -------- From academic-firewalls-owner@net.tamu.edu Sun Oct 20 00:41:55 1996 Cc: , X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Date: Sun, 20 Oct 1996 00:10:39 -0600 From: "Pamela North" To: academic-firewalls@net.tamu.edu Subject: Re: your mail - ---------- > From: Wearen Life > To: academic-firewalls@net.tamu.edu > Cc: academic-firewalls@net.tamu.edu; academic-firewalls-owner@net.tamu.edu > Subject: Re: your mail > Date: Saturday, October 19, 1996 3:50 PM > > please remove me also! > > On Sat, 19 Oct 1996, Steve wrote: > > > Please take me off of this mailing list! Someone maliciously added me and I > > am being flooded by your mail! > > > > Add me too the list of remove eees.. thanx! > >