----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, July 10, 2001 7:32 AM Subject: Firewalls digest, Vol 1 #83 - 12 msgs > Send Firewalls mailing list submissions to > [EMAIL PROTECTED] > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.gnac.net/mailman/listinfo/firewalls > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Firewalls digest..." > > > Today's Topics: > > 1. Fwd: FW: CERT Advisory CA-2001-17 (ragu nandan) > 2. Re: Stonegate Firewall ( what do you think? ) (gilles) > 3. Re: Stonegate Firewall ( what do you think? ) (Martin Hoz) > 4. Re: Stonegate Firewall ( what do you think? ) (Alvin Oga) > 5. regarding Slack 8 (Wasiuddin Rajesh) > 6. RE: Stonegate Firewall ( what do you think? ) (Ben Keepper) > 7. RE: Multi-homed Internet connection (Ben Nagy) > 8. L2TP through PIX (Jason Lewis) > 9. RE: ipchains, the lyer (Reckhard, Tobias) > 10. Blocking of Yahoo Masenger (Ravi Kumar) > 11. RE: Blocking of Yahoo Masenger (Ronneil Camara) > 12. RE: Blocking of Yahoo Masenger (Steven Pierce) > > --__--__-- > > Message: 1 > Date: Mon, 9 Jul 2001 14:48:50 -0700 (PDT) > From: ragu nandan <[EMAIL PROTECTED]> > Subject: Fwd: FW: CERT Advisory CA-2001-17 > To: [EMAIL PROTECTED] > > Thought this might be useful. Patch available at CP > site. > Ragu > > > -----Original Message----- > > From: CERT Advisory [ mailto:[EMAIL PROTECTED] > > <mailto:[EMAIL PROTECTED]> ] > > Sent: Monday, July 09, 2001 10:33 AM > > To: [EMAIL PROTECTED] > > Subject: CERT Advisory CA-2001-17 > > > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > CERT Advisory CA-2001-17 Check Point RDP Bypass > > Vulnerability > > > > Original release date: July 09, 2001 > > Last revised: -- > > Source: CERT/CC > > > > A complete revision history is at the end of this > > file. > > > > Systems Affected > > > > * Check Point VPN-1 and FireWall-1 Version 4.1 > > > > Overview > > > > A vulnerability in Check Point FireWall-1 and > > VPN-1 may allow an > > intruder to pass traffic through the firewall on > > port 259/UDP. > > > > I. Description > > > > Inside Security GmbH has discovered a > > vulnerability in Check Point > > FireWall-1 and VPN-1 that allows an intruder to > > bypass the firewall. > > The default FireWall-1 management rules allow > > arbitrary RDP (Reliable > > Data Protocol) connections to traverse the > > firewall. RFC-908 and > > RFC-1151 describe the Reliable Data Protocol > > (RDP). Quoting from > > RFC-908: > > > > The Reliable Data Protocol (RDP) is designed to > > provide a reliable > > data transport service for packet-based > > applications such as remote > > loading and debugging. > > > > RDP was designed to have much of the same > > functionality as TCP, but it > > has some advantages over TCP in certain > > situations. FireWall-1 and > > VPN-1 include support for RDP, but they do not > > provide adequate > > security controls. Quoting from the advisory > > provided by Inside > > Security GmbH: > > > > By adding a faked RDP header to normal UDP > > traffic any content can > > be passed to port 259 on any remote host on > > either side of the > > firewall. > > > > For more information, see the Inside Security > > GmbH security advisory, > > available at > > > > > > > http://www.inside-security.de/advisories/fw1_rdp.html > > > <http://www.inside-security.de/advisories/fw1_rdp.html> > > > > > > Although the CERT/CC has not seen any incident > > activity related to > > this vulnerability, we do recommend that all > > affected sites upgrade > > their Check Point software as soon as possible. > > > > II. Impact > > > > An intruder can pass UDP traffic with arbitrary > > content through the > > firewall on port 259 in violation of implied > > security policies. > > > > If an intruder can gain control of a host inside > > the firewall, he may > > be able to use this vulnerability to tunnel > > arbitrary traffic across > > the firewall boundary. > > > > Additionally, even if an intruder does not have > > control of a host > > inside the firewall, he may be able to use this > > vulnerability as a > > means of exploiting another vulnerability in > > software listening > > passively on the internal network. > > > > > Finally, an intruder may be able to use this > > vulnerability to launch > > certain kinds of denial-of-service attacks. > > > > III. Solutions > > > > Install a patch from Check Point Software > > Technologies. More > > information is available in Appendix A. > > > > Until a patch can be applied, you may be able to > > reduce your exposure > > to this vulnerability by configuring your router > > to block access to > > 259/UDP at your network perimeter. > > > > Appendix A > > > > Check Point > > > > Check Point has issued an alert for this > > vulnerability at > > > > > > http://www.checkpoint.com/techsupport/alerts/ > > <http://www.checkpoint.com/techsupport/alerts/> > > > > Download the patch from Check Point's web site: > > > > > > http://www.checkpoint.com/techsupport/downloads.html > > > <http://www.checkpoint.com/techsupport/downloads.html> > > > > > > Appendix B. - References > > > > 1. > > > http://www.inside-security.de/advisories/fw1_rdp.html > > > <http://www.inside-security.de/advisories/fw1_rdp.html> > > > > 2. http://www.kb.cert.org/vuls/id/310295 > > <http://www.kb.cert.org/vuls/id/310295> > > 3. http://www.ietf.org/rfc/rfc908.txt > > <http://www.ietf.org/rfc/rfc908.txt> > > 4. http://www.ietf.org/rfc/rfc1151.txt > > <http://www.ietf.org/rfc/rfc1151.txt> > > > > > _________________________________________________________________ > > > > > > Our thanks to Inside Security GmbH for the > > information contained in > > their advisory. > > > > > _________________________________________________________________ > > > > > > This document was written by Ian A. Finlay. If > > you have feedback > > concerning this document, please send email to: > > > > mailto:[EMAIL PROTECTED]?Subject=Feedback > > <mailto:[EMAIL PROTECTED]?Subject=Feedback> CA-2001-17 > > [VU#310295] > > > > Copyright 2001 Carnegie Mellon University. > > > > Revision History > > July 09, 2001: Initial Release > > > > -----BEGIN PGP SIGNATURE----- > > Version: PGPfreeware 5.0i for non-commercial use > > Charset: noconv > > > > > iQCVAwUBO0njBQYcfu8gsZJZAQHOCAP+L8JEWTsWqvWjZQaVpHPb6GHn7D837lzc > > > > > rE/ef50+6xSzRZyBPXQ8+3N6JqYk8PBufYCcqtiqL1PfNJw3YfrGJ5irzS4ENXTg > > > > > mupUNTfdG0UhEAOWJbsjykfB0K/PPaeFrtf1jod1zd9uKPIFytHLAzMHWzUwTTtW > > > > 4qSlIxoiHEQ= > > =v8vs > > -----END PGP SIGNATURE----- > > > > > __________________________________________________ > Do You Yahoo!? > Get personalized email addresses from Yahoo! Mail > http://personal.mail.yahoo.com/ > > --__--__-- > > Message: 2 > Date: Mon, 9 Jul 2001 23:59:34 +0200 > From: gilles <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: Stonegate Firewall ( what do you think? ) > > le Mon, Jul 09, 2001 at 10:23:24PM +0200, Axel Eble écrivit > > Slade Edmonds wrote: > > > > > I wanna know what people out there think about the Stonegate Firewall > > > product. Is it good? Do people actually use it? Are there people that > > > *dont't* like it? Etc. Etc. > > > > > > What I saw at the CeBIT looked quite interesting. Stonesoft didn't want > > to give me a demo version though. They only sent me some Word document > > where I'm supposed to enter some contact data. Alas, I can't open it > > because I'm using Linux :-) > > > > The nice thing about it is the integrated SB Full Cluster and that it > > runs under Linux. > > > http://bermude.dnsalias.net/donlod/antiword-0.30.tar.gz should help you > > `tar -xvzf antiword-0.30.tar.gz` on a GNU tar > `tar -xvf antiword-0.30.tar.gz | gzip -` on other (if i'm good) > > gilles. > -- > De la foi des chrétiens les mystères terribles > D'ornements égayés ne sont pas susceptibles. > Nicholas Boileau-Despreaux: L'Art poétique > > --__--__-- > > Message: 3 > Date: Mon, 09 Jul 2001 17:08:47 -0600 > From: Martin Hoz <[EMAIL PROTECTED]> > Organization: Universidad Autonoma de Nuevo Leon > To: Slade Edmonds <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Subject: Re: Stonegate Firewall ( what do you think? ) > > Slade Edmonds wrote: > > > > I wanna know what people out there think about the Stonegate Firewall > > product. Is it good? Do people actually use it? Are there people that > > *dont't* like it? Etc. Etc. > > StoneGate is actually a new guy in the firewalls arena... (March 2001) > So, you probably will be one of the first people around the world > using it... It's up to you to be a "paying-beta-tester" or use a more > stable and more mature product (I guess you already know the names). > > See, even Stonesoft's customers have their doubts about seeing an > HA company (in which they do it very well) now trying to make > firewalls... > http://msgs.securepoint.com/cgi-bin/get/stonebeat-0104/18/1.html > > I saw a demo past days... and lots of features (at least the GUI > ones, and some others about functionality) seems very similar to the > Check Point's Next Generation ones... any way, I think the new > Check Point's GUI is more cute... ;-) > http://www.checkpoint.com/products/ng/ngui.html > > Another thing: they seem to prefer to fight at courts, rather than > push their technology and let the market decide: > http://www.stonesoft.com/press-releases/856.html > Sounds to me like a desperate company trying to make their numbers... > > You can try it anyway. Nothing to lose... ;-) > > Best regards. > > -- > Martin H. Hoz-Salvador > EX-A-IEC, EX-A-FIME > http://gama.fime.uanl.mx/~mhoz > > "Daddy, Why doesn't this Magnet pick up this Floppy Disk?" > > --__--__-- > > Message: 4 > Date: Mon, 9 Jul 2001 15:30:18 -0700 (PDT) > From: Alvin Oga <[EMAIL PROTECTED]> > To: Martin Hoz <[EMAIL PROTECTED]> > Cc: Slade Edmonds <[EMAIL PROTECTED]>, [EMAIL PROTECTED] > Subject: Re: Stonegate Firewall ( what do you think? ) > > > hi ya > > am leary of companies that hide their physical address and > phone numbers etc..etc.... ( cant find in in 2-3 clicks/guesses ) > > - i'd think twice and than look at their competitors again... > and see if the other guys stuff can work and if the competitors > return emails and ph# calls... they get the sale... > > am just paranoid... ( please ignore if you dont agree w/ my paranoia ) > > have fun > alvin > http://www.Linux-1U.net > > > --__--__-- > > Message: 5 > Date: Tue, 10 Jul 2001 04:55:28 +0600 (BDT) > From: Wasiuddin Rajesh <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Subject: regarding Slack 8 > > hi....... > is there any1 using slack 8. Pls let me know ....... > > > regards > rajesh. > > > > --__--__-- > > Message: 6 > Reply-To: <[EMAIL PROTECTED]> > From: "Ben Keepper" <[EMAIL PROTECTED]> > To: "'Slade Edmonds'" <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Subject: RE: Stonegate Firewall ( what do you think? ) > Date: Mon, 9 Jul 2001 16:42:03 -0700 > Organization: Paladin Security Systems > > A lot of people on the list are responding like Stonesoft is somebody > new to the game. > > They are not. > > They are (or were) the largest installer and trainer of Checkpoint > firewalls in Europe until they released their firewall product. > > It is my understanding that their lawsuit is a response to Checkpoint's > heavy-handed attempt to remove FullCluster from the OPSEC certified list > and removing StoneSoft's designation as a Checkpoint trainer (read > anti-competitive). > > I am not inviting a conversion about this issue, so don't bother. This > is just my understanding. > > The product itself is very similar to Checkpoint, with respect to > stateful firewalling. > > However, I saw a lot of promise in how it handles both clustering, > management, and installation. > > Management (and logging) can be redundant and installing additional > nodes in a cluster takes about 30 minutes (literally). You can use > cheap Intel boxes and have a very scalable firewall cluster. The > management and logging server are Java-based. You actually configure > the nodes in the cluster using the management server, then load the > software/OS onto the nodes and retrieve the config info. I found that a > very interesting concept. > > You install OS and firewall software as one component. They use > Debian-based Linux, and in my opinion, the package was more secure then > the Nokia/IPSO/BSD package for FW-1 with which I am more familiar. > > When I went through the Beta, they had yet to make the VPN work and > there were some other minor bugs. I went through the beta about two > months before they released to the public. > > I don't know if those problems were fixed or not (I would assume they > are). > > Ready for primetime? Couldn't tell you, I also am still waiting for the > post-release demo I was promised. > > Ben > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Slade Edmonds > Sent: Monday, July 09, 2001 11:38 AM > To: [EMAIL PROTECTED] > Subject: Stonegate Firewall ( what do you think? ) > > I wanna know what people out there think about the Stonegate Firewall > product. Is it good? Do people actually use it? Are there people that > *dont't* like it? Etc. Etc. > > Thanks > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > > > --__--__-- > > Message: 7 > From: Ben Nagy <[EMAIL PROTECTED]> > To: 'Alvin Oga' <[EMAIL PROTECTED]> > Cc: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > Subject: RE: Multi-homed Internet connection > Date: Tue, 10 Jul 2001 09:59:08 +1000 > > > -----Original Message----- > > From: Alvin Oga [mailto:[EMAIL PROTECTED]] > > Sent: Monday, July 09, 2001 6:06 PM > > To: Ben Nagy > > Cc: 'Alvin Oga'; '[EMAIL PROTECTED]' > > Subject: RE: Multi-homed Internet connection > > > > > > > > hi ben... > > > > its a simplified drawing... > > Maybe you should have used the complex one. ;) > > > am just saying that if someone wants www.foo.com ( 1.2.3.4 ) to > > be routed via isp#1..... > > they can not also have www.foo.com routed by isp#2 > > Not if it's the same IP address, no. There's a large chunk of DNS tricks and > products that exist to provide an answer to the multihoming problem for > inbound traffic. They can be as simple as RR DNS records and they can get > extremely complex (Distributed Director, for example). > > > if they want incoming traffic for www.foo.com to arrive from > > either isp#1 or isp#2... they'd need to be using "autonomous"(?) > > ip# that is routable by BOTH isp > > They need a fully fledged AS, yes. The inbound traffic will only ever enter > their AS through one path at a time, though. That's just how BGP works. It > doesn't ever load balance, it installs the best route and sticks to it. > > > for outgoing traffic...thats locally handled by ifconfig and metric > > for the route > > Not unless you're running some unusually impressive routing on your firewall > it's not. Static routes will not do this - a box with equal metric statics > will normally pick one path and send everything out of it - so load > balancing is probably out of the question. Normally it's quite difficult to > have standby or "floating" backup routes using statics only, as well. Your > behaviour on losing one route will be fairly implementation dependant. I > suspect that in most cases the firewall will never use the higher metric > route - and only ever when layer two goes down on the ethernet (so you'd > need a crossover cable). > > The "correct" way to solve this problem, as several other people mentioned, > is to do the multihoming on a router, not the firewall. Interestingly, I > believe that IN THEORY, you can do this Cute Hack: > > Get a Cisco router. Turn on netflow. Have two external ISPs, and NAT your > internal space into two pools using route-maps. Load balance the external > routes using EIGRP or OSPF. Netflow's caching mechanism should then send all > packets for a given TCP session via the same path (which solves a problem > that should be obvious if you're even thinking about trying this). YMMV with > non-TCP traffic. > > I haven't tried this, though, sorry. [1] > > > i combined the "gateway" into the firewall... > > - one box that converts local internal LAN as a gateway > > to either isp... > > > > nothing fancy in this config... > > I noticed. That's why I pointed out that it wouldn't work. > > > other than the same routable ip# > > by two different ISPs to get to the same www.foo.com > > - the two isp can figure out amongst them self who > > can delivery that traffic at that instant ... i dont know > > what protocol they use ... > > They use BGP. They can't just "work it out" though - your firewall would > need to run BGP and have two eBGP peers, the way you've drawn your diagram. > Part of having a real AS is the responsibility to run BGP. > > > have fun > > alvin > > Cheers, > > [1] This scheme courtesy of my friend AndrewR. > -- > Ben Nagy > Network Security Specialist > Marconi Services Australia Pty Ltd > Mb: +61 414 411 520 PGP Key ID: 0x1A86E304 > > --__--__-- > > Message: 8 > Reply-To: <[EMAIL PROTECTED]> > From: "Jason Lewis" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Subject: L2TP through PIX > Date: Mon, 9 Jul 2001 20:19:59 -0400 > > I am trying to create an L2TP tunnel through a PIX running 5.3(1). I have > ESP and ISAKMP open to the target server behind the PIX. Clients fail to > connect at the end of the negotiation where the server has to respond to the > client. > > Am I missing something? Could the PIX be causing the problem? > > I am using NAT for the server but not PAT. According to the docs, it should > work. > > Jason Lewis > http://www.packetnexus.com > It's not secure "Because they told me it was secure". > The people at the other end of the link know less > about security than you do. And that's scary. > > > > --__--__-- > > Message: 9 > From: "Reckhard, Tobias" <[EMAIL PROTECTED]> > To: "'gilles'" <[EMAIL PROTECTED]>, [EMAIL PROTECTED] > Subject: RE: ipchains, the lyer > Date: Mon, 9 Jul 2001 08:38:16 +0200 > > > So, I've put > > ipchains -I input 1 ! -i lo -d 0/0 mysql -p tcp -j REJECT > > on a term and launched the mysql server, performed my tests on mysql on > > localhost and then I've shut it down but I've got this: > > > > [root@depht ddclient-3.4.2]# nmap -sS 10.0.0.10 -P0 -p3306 > > > > Starting nmap V. 2.30BETA17 by [EMAIL PROTECTED] ( > > www.insecure.org/nmap/ ) > > Interesting ports on (10.0.0.10): > > Port State Service > > 3306/tcp filtered mysql > > > > Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds > > > > This port doesn't appear in `netstat -ln` command. Have you an idea ? > > > Well, it's probably because the Linux kernel is responding differently than > if the socket wasn't filtered with ipchains. I'd thought ipchains' REJECT > response was the ICMP message 'port unreachable' and therefore the same as > that of a box with no process listening to the port concerned, but it could > well be different. Or there are subtle responses that nmap uses to figure > out the difference between a closed and a filtered port. > > You could use tcpdump to capture the ICMP traffic on the interface concerned > and try and find a difference between ipchains and non-ipchains 'mode'. > > HTH > Tobias > > > --__--__-- > > Message: 10 > Date: Fri, 29 Jun 2001 21:52:23 -0700 (PDT) > From: Ravi Kumar <[EMAIL PROTECTED]> > Subject: Blocking of Yahoo Masenger > To: [EMAIL PROTECTED] > > Hi, > > How we can block yahoo mesanger/chat applet, I tried > with port 5050, but did not worked. > How we can block that ? > > Thanks & Bye > > Gm > > __________________________________________________ > Do You Yahoo!? > Get personalized email addresses from Yahoo! Mail > http://personal.mail.yahoo.com/ > > --__--__-- > > Message: 11 > From: Ronneil Camara <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: RE: Blocking of Yahoo Masenger > Date: Mon, 9 Jul 2001 23:13:25 -0500 > > Hi, > > The easy way is to block all traffic going to the IP address(es) of yahoo > messenger. :-) > It will work but not a good idea. > > Why don't you try to establish a yahoo messenger session again and once > connected, do > a netstat -an on that client machine. > > Hope this helps.... > > Neil > > -----Original Message----- > From: Ravi Kumar [mailto:[EMAIL PROTECTED]] > Sent: Friday, June 29, 2001 11:52 PM > To: [EMAIL PROTECTED] > Subject: Blocking of Yahoo Masenger > > > Hi, > > How we can block yahoo mesanger/chat applet, I tried > with port 5050, but did not worked. > How we can block that ? > > Thanks & Bye > > Gm > > __________________________________________________ > Do You Yahoo!? > Get personalized email addresses from Yahoo! Mail > http://personal.mail.yahoo.com/ > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > > --__--__-- > > Message: 12 > Date: Mon, 09 Jul 2001 21:22:54 -0700 > From: "Steven Pierce" <[EMAIL PROTECTED]> > To: "Ronneil Camara" <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Subject: RE: Blocking of Yahoo Masenger > > > Neil, > > If you did this would that only work on that one session? Since it is not= > a static IP address > it would change each time you log in. So that would be good for the one= > time, or any other > time that IP address was used in your network. Could you not do a series= > of address? > > 116.323.X.X?? > > Just asking, not trying to step on toes.. > > S > *********** REPLY SEPARATOR *********** > > On 7/9/2001 at 23:13 Ronneil Camara wrote: > > >Hi, > > > >The easy way is to block all traffic going to the IP address(es) of yahoo > >messenger. :-) > >It will work but not a good idea. > > > >Why don't you try to establish a yahoo messenger session again and once > >connected, do > >a netstat -an on that client machine. > > > >Hope this helps.... > > > >Neil > > > >-----Original Message----- > >From: Ravi Kumar [mailto:[EMAIL PROTECTED]] > >Sent: Friday, June 29, 2001 11:52 PM > >To: [EMAIL PROTECTED] > >Subject: Blocking of Yahoo Masenger > > > > > >Hi, > > > >How we can block yahoo mesanger/chat applet, I tried > >with port 5050, but did not worked. > >How we can block that ? > > > >Thanks & Bye > > > >Gm > > > >__________________________________________________ > >Do You Yahoo!? > >Get personalized email addresses from Yahoo! Mail > >http://personal.mail.yahoo.com/ > >_______________________________________________ > >Firewalls mailing list > >[EMAIL PROTECTED] > >http://lists.gnac.net/mailman/listinfo/firewalls > >_______________________________________________ > >Firewalls mailing list > >[EMAIL PROTECTED] > >http://lists.gnac.net/mailman/listinfo/firewalls > > t > > > > --__--__-- > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > > > End of Firewalls Digest --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.263 / Virus Database: 135 - Release Date: 6/22/01 _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
