Pathetic. ----- Original Message ----- From: "piranha x" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, December 05, 2001 3:48 AM Subject: Re: Firewall authentication & W2K Terminal Server
> > uncontrolled absurd beer fart LOL's... > > piranha... > > /* My Lord Tzu, the first tao of combat is > learning retreat is a weapon > Yuen Li, Archery Sifu to General Sun Tzu */ > > > > >From: "Laura A. Robinson" <[EMAIL PROTECTED]> > >To: "piranha" <[EMAIL PROTECTED]>, "John Steniger" > ><[EMAIL PROTECTED]>, "'Andy Jonkers'" <[EMAIL PROTECTED]>, "Eric > >Samburn" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> > >Subject: Re: Firewall authentication & W2K Terminal Server > >Date: Wed, 28 Nov 2001 20:15:46 -0500 > > > >I guess I'd be more inclined to listen if you actually *said* something > >instead of dismissing out of hand. (Note that I despise MS Proxy and avoid > >using it, so this isn't a matter of my being biased.) > > > >Laura > >----- Original Message ----- > >From: "piranha" <[EMAIL PROTECTED]> > >To: "Laura A. Robinson" <[EMAIL PROTECTED]>; "John Steniger" > ><[EMAIL PROTECTED]>; "'Andy Jonkers'" <[EMAIL PROTECTED]>; "Eric > >Samburn" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > >Sent: Wednesday, November 28, 2001 8:12 PM > >Subject: Re: Firewall authentication & W2K Terminal Server > > > > > > > i repeat...lol... > > > > > > big f)(*king lol... > > > > > > > > > > > > > > > ----- Original Message ----- > > > From: "Laura A. Robinson" <[EMAIL PROTECTED]> > > > To: "piranha" <[EMAIL PROTECTED]>; "John Steniger" > > > <[EMAIL PROTECTED]>; "'Andy Jonkers'" <[EMAIL PROTECTED]>; > >"Eric > > > Samburn" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > > > Sent: Wednesday, November 28, 2001 4:55 PM > > > Subject: Re: Firewall authentication & W2K Terminal Server > > > > > > > > > > Actually, I know some pretty dedicated hackers who say that a properly > > > > configured MS Proxy 2.0 box is actually much harder for them to hack > >than > > > > CheckPoint, PIX, ipchains, or any other firewall. > > > > > > > > Laura > > > > ----- Original Message ----- > > > > From: "piranha" <[EMAIL PROTECTED]> > > > > To: "John Steniger" <[EMAIL PROTECTED]>; "'Andy Jonkers'" > > > > <[EMAIL PROTECTED]>; "Eric Samburn" <[EMAIL PROTECTED]>; > > > > <[EMAIL PROTECTED]> > > > > Sent: Wednesday, November 28, 2001 7:52 PM > > > > Subject: Re: Firewall authentication & W2K Terminal Server > > > > > > > > > > > > > lol > > > > > lol > > > > > lol > > > > > lol > > > > > lol > > > > > > > > > > big lol... > > > > > > > > > > piranha > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > From: "John Steniger" <[EMAIL PROTECTED]> > > > > > To: "'Andy Jonkers'" <[EMAIL PROTECTED]>; "Eric Samburn" > > > > > <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > > > > > Sent: Wednesday, November 28, 2001 5:32 AM > > > > > Subject: RE: Firewall authentication & W2K Terminal Server > > > > > > > > > > > > > > > > Is there any reason you are looking for a firewall and not a proxy > > > > > solution? > > > > > > We have almost the same setup (NT 4.0 Terminal server). We use MS > > > Proxy > > > > > > Server to authenticate to the web and log usage by user, and a > > > > > > packet-filtering firewall for outbound and inbound packet > >filtering. > > > I > > > > > > think a proxy solution would better fix your problem in this case > >(but > > > > > don't > > > > > > disregard the firewall for inbound/outbound filtering!). We have > > > > > experience > > > > > > with the Microsoft solution, and it does the trick. > > > > > > > > > > > > John J. Steniger > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: Andy Jonkers [mailto:[EMAIL PROTECTED]] > > > > > > > Sent: Wednesday, November 28, 2001 1:53 AM > > > > > > > To: Eric Samburn; [EMAIL PROTECTED] > > > > > > > Subject: Re: Firewall authentication & W2K Terminal Server > > > > > > > > > > > > > > > > > > > > > Hey, > > > > > > > > > > > > > > What you have written explains exactly what I'm experiencing, > > > > > > > and what you > > > > > > > are suggesting is what I need. But is it possible to give me > > > > > > > a product that > > > > > > > can do what I want. > > > > > > > Some people speak of a PIX, but as far as I'm aware of my > > > > > > > problem, they will > > > > > > > experience the same kind of problems. This is because, as you > >have > > > > > > > suggested, each Browser Session on a Terminal Server is a > >session > > > on > > > > > > > itself, and all data leaving the TS seems to be from only one > > > > > > > user instead > > > > > > > of different users. > > > > > > > Already thanks for your answers. > > > > > > > > > > > > > > Andy > > > > > > > ----- Original Message ----- > > > > > > > From: "Eric Samburn" <[EMAIL PROTECTED]> > > > > > > > To: <[EMAIL PROTECTED]> > > > > > > > Sent: Wednesday, November 28, 2001 2:37 AM > > > > > > > Subject: RE: Firewall authentication & W2K Terminal Server > > > > > > > > > > > > > > > > > > > > > > I don't want to get into application proxy / packet > > > > > > > filtering debate, > > > > > > > > but think about it. > > > > > > > > > > > > > > > > The TS is on the internal network behind the firewall. > > > > > > > > Staff are logged into the TS and startup their instance of > > > browser. > > > > > > > > > > > > > > > > >From the firewall's perspective, the traffic is TCP. The > > > > > > > data packets > > > > > > > will > > > > > > > > only provides src addr, src port, dest addr, dest port. Since > >all > > > > > > > > connections are from the same TS, there is no way a packet > > > filtering > > > > > > > > firewall can distinguish which connection belong to which > >user. > > > > > > > > What you need is a http proxy. Some firewall provides a > > > > > > > http proxy that > > > > > > > > support proxy "Basic Authentication" (the one specified in the > > > http > > > > > > > > standard). > > > > > > > > > > > > > > > > That way you can control and log all web surfing usage. > > > > > > > > > > > > > > > > Alternatively, you put a http proxy on the internal network, > >and > > > the > > > > > > > > firewall is configured to ONLY allow the proxy server to go > >the > > > Net. > > > > > > > > And all users from the TS need to config their browser to > > > > > > > use the proxy > > > > > > > for > > > > > > > > web surfing. > > > > > > > > > > > > > > > > I just can't see how a packet filtering firewall can solve > > > > > > > this problem. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >From: "Kuff, Hal" <[EMAIL PROTECTED]> > > > > > > > > >To: "'Clark, Steve'" <[EMAIL PROTECTED]>, > > > > > > > "'[EMAIL PROTECTED]'" > > > > > > > > ><[EMAIL PROTECTED]> > > > > > > > > >Subject: RE: Firewall authentication & W2K Terminal Server > > > > > > > > >Date: Tue, 27 Nov 2001 19:18:54 -0500 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > This is indeed an old and anoying issue... we suffer > > > > > > > as well... it's > > > > > > > > >almost impossible to identify what session on a TSE > > > > > > > machine maps into a > > > > > > > > >session on a PIX.. we're interested as well. > > > > > > > > > > > > > > > > > >-----Original Message----- > > > > > > > > >From: Andy Jonkers [mailto:[EMAIL PROTECTED]] > > > > > > > > >Sent: Tuesday, November 27, 2001 5:39 PM > > > > > > > > >To: [EMAIL PROTECTED] > > > > > > > > >Subject: Firewall authentication & W2K Terminal Server > > > > > > > > > > > > > > > > > >Hey, > > > > > > > > > > > > > > > > > >I'm looking for a firewall, which can give me a solution > > > > > > > for the problem > > > > > > > > >I'll be describing. > > > > > > > > > > > > > > > > > >I've got a Windows 2000 Terminal Server, and the Terminal > > > > > > > Server clients > > > > > > > > >can > > > > > > > > >browse the Internet using their session. However, they need > >to > >be > > > > > > > > >authenticated by a firewall appliance before they are > > > > > > > allowed, and their > > > > > > > > >activity needs be logged on a user basis. > > > > > > > > > > > > > > > > > >The firewall I'm using testing for the moment -WatchGuard > > > > > > > Firebox II- > > > > > > > > >cannot > > > > > > > > >do what I want. Once a Terminal Server user authenticates > > > > > > > successfully, > > > > > > > all > > > > > > > > >other are allowed. This is because my WatchGuard > > > > > > > dynamically changes the > > > > > > > > >ACLs, because of the successfull authentication, and > > > > > > > allows Internet > > > > > > > access > > > > > > > > >originated from the Terminal Server Source IP. > > > > > > > Additionally, it cannot > > > > > > > log > > > > > > > > >on a user basis, as far as my WatchGuard is concerned it > > > > > > > comes from the > > > > > > > > >Terminal Server. > > > > > > > > >I've also tested the Nortel Contivity Instant Internet > > > > > > > Gateway, and they > > > > > > > > >have the same problem as above. > > > > > > > > >During my CheckPoint Firewall-1 training, I've asked the > > > > > > > same question. > > > > > > > The > > > > > > > > >Certified Instructor told me it wasn't possible on CP > > > > > > > FW-1, for the same > > > > > > > > >reasons as described above. However, I didn't have the > > > > > > > opportunity to > > > > > > > test > > > > > > > > >it so far. > > > > > > > > > > > > > > > > > >Does anyone know a firewall which can perform what I want? > > > > > > > And if yes, > > > > > > > can > > > > > > > > >he or she describe how it is done? Any help is welcome, > > > > > > > and I thank you > > > > > > > for > > > > > > > > >the answer(s) to my question. > > > > > > > > > > > > > > > > > >Regards, > > > > > > > > >Andy JONKERS > > > > > > > > > > > > > > > > > > > > > > > > > >_________________________________________________________________ > > > > > > > > Get your FREE download of MSN Explorer at > > > > > > http://explorer.msn.com/intl.asp > > > > > > > > > > > > > > _______________________________________________ > > > > > > > Firewalls mailing list > > > > > > > [EMAIL PROTECTED] > > > > > > > http://lists.gnac.net/mailman/listinfo/firewalls > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > Firewalls mailing list > > > > > > [EMAIL PROTECTED] > > > > > > http://lists.gnac.net/mailman/listinfo/firewalls > > > > > > _______________________________________________ > > > > > > Firewalls mailing list > > > > > > [EMAIL PROTECTED] > > > > > > http://lists.gnac.net/mailman/listinfo/firewalls > > > > > > > > > > > _______________________________________________ > > > > > Firewalls mailing list > > > > > [EMAIL PROTECTED] > > > > > http://lists.gnac.net/mailman/listinfo/firewalls > > > > > > > > > > > > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
