Re: mail service with no mx (was - Re: Computer systems blamed for feeble hurricane response?)
On Wed, 14 Sep 2005, Roy Badami wrote: william(at)elan> Could you elaborate on how firewall will william(at)elan> determine if the connection is from mail server william(at)elan> or from telnet on port 25? Perhaps because most telnet clients will attempt telnet option negotiation? If so one could avoid this by using a client such as netcat... Telnet option negotiation is at Layer 7 after TCP connection has been established. Firewalls typically don't operate at this level (TCP session is Layer 4 if I remember right) and would refuse or reject (difference type of ICMP response) based solely on attempt to connect to certain ip or certain TCP/UDP port. -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: mail service with no mx (was - Re: Computer systems blamed for feeble hurricane response?)
On Tue, Sep 13, 2005 at 04:31:05PM -0700, william(at)elan.net wrote: > Telnet option negotiation is at Layer 7 after TCP connection has been > established. Firewalls typically don't operate at this level (TCP session > is Layer 4 if I remember right) and would refuse or reject (difference > type of ICMP response) based solely on attempt to connect to certain > ip or certain TCP/UDP port. Application layer firewalls have existed for at least 6 years. --Adam
Re: mail service with no mx (was - Re: Computer systems blamed for feeble hurricane response?)
Adam McKenna wrote: On Tue, Sep 13, 2005 at 04:31:05PM -0700, william(at)elan.net wrote: Telnet option negotiation is at Layer 7 after TCP connection has been established. Firewalls typically don't operate at this level (TCP session is Layer 4 if I remember right) and would refuse or reject (difference type of ICMP response) based solely on attempt to connect to certain ip or certain TCP/UDP port. Application layer firewalls have existed for at least 6 years. AAAGGHH! But the point is that you would still establish a TCP connection before a MTA, firewall, IPS, or whatever could know it was telnet! The FEMA address that started this whole thing was timing out. You can tell the difference between a telnet filter and something completely, silently blocking 25/tcp. CAN THIS DIE NOW? Pueese... -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications(408) 933-4387
Re: mail service with no mx (was - Re: Computer systems blamed for feeble hurricane response?)
In message <[EMAIL PROTECTED]>, Adam McKenna writes: > >On Tue, Sep 13, 2005 at 04:31:05PM -0700, william(at)elan.net wrote: >> Telnet option negotiation is at Layer 7 after TCP connection has been >> established. Firewalls typically don't operate at this level (TCP session >> is Layer 4 if I remember right) and would refuse or reject (difference >> type of ICMP response) based solely on attempt to connect to certain >> ip or certain TCP/UDP port. > >Application layer firewalls have existed for at least 6 years. > Make that 15 --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
RE: mail service with no mx (was - Re: Computer systems blamed for feeble hurricane response?)
> > > >Application layer firewalls have existed for at least 6 years. > > > Make that 15 Socks, fwtk (before it went commercial) to name a few. -M<
Re: mail service with no mx (was - Re: Computer systems blamed for feeble hurricane response?)
On Tue, Sep 13, 2005 at 04:31:05PM -0700, william(at)elan.net wrote: > On Wed, 14 Sep 2005, Roy Badami wrote: > > > william(at)elan> Could you elaborate on how firewall will > > william(at)elan> determine if the connection is from mail server > > william(at)elan> or from telnet on port 25? > > > >Perhaps because most telnet clients will attempt telnet option > >negotiation? If so one could avoid this by using a client such as > >netcat... > > Telnet option negotiation is at Layer 7 after TCP connection has been > established. Firewalls typically don't operate at this level (TCP session > is Layer 4 if I remember right) and would refuse or reject (difference > type of ICMP response) based solely on attempt to connect to certain > ip or certain TCP/UDP port. You're talking about the packet filters that marketeers sell as "firewalls". The best firewalls operate at the application layer. And, yes, that's an OPINION, no need to rave. -- Joe Yao --- This message is not an official statement of OSIS Center policies.
Re: mail service with no mx (was - Re: Computer systems blamed for feeble hurricane response?)
Application layer firewalls have existed for at least 6 years. Make that 15 I suspect that claiming to that they existed farther back than 1990 would require careful debate about the functionality. Taking it at its most general: a boundary barrier service that mediated particular application exchanges between an "interior" Administrative Environment, versus the rest of the public network. One can reasonably argue than any such mediation has a security component to it. Therefore one could argue that firewall functionality was around at least 25 years ago -- there were a number of email boundary gateway mediating services by then -- and very probably back to 1973. (I just know that some MIT type is going to claim pre-1970, given the generality of the definition I offered.) d/ -- Dave Crocker Brandenburg InternetWorking +1.408.246.8253 dcrocker a t ... WE'VE MOVED to: www.bbiw.net
Re: mail service with no mx (was - Re: Computer systems blamed for feeble hurricane response?)
On Wed, 14 Sep 2005, Roy Badami wrote: > > Perhaps because most telnet clients will attempt telnet option > negotiation? No they won't. I don't have any copies of BSD to hand from before 1987, but even then Berkeley Telnet would not do unsolicited option negotiation if you specified a port number. Tony. -- f.a.n.finch <[EMAIL PROTECTED]> http://dotat.at/ BISCAY: WEST 5 OR 6 BECOMING VARIABLE 3 OR 4. SHOWERS AT FIRST. MODERATE OR GOOD.
Re: mail service with no mx (was - Re: Computer systems blamed for feeble hurricane response?)
On Tue, Sep 13, 2005 at 11:09:54PM -0700, Dave Crocker wrote: > >>Application layer firewalls have existed for at least 6 years. > >> > >Make that 15 > > I suspect that claiming to that they existed farther back than 1990 would > require careful debate about the functionality. > > Taking it at its most general: a boundary barrier service that mediated > particular application exchanges between an "interior" Administrative > Environment, versus the rest of the public network. One can reasonably > argue than any such mediation has a security component to it. > > Therefore one could argue that firewall functionality was around at least > 25 years ago -- there were a number of email boundary gateway mediating > services by then -- and very probably back to 1973. (I just know that some > MIT type is going to claim pre-1970, given the generality of the definition > I offered.) Dave, I think the mail gateways back when the various networks were being put together into an internet had as their functional purpose unifying disparate networks. On the contrary, a firewall has as its purpose partitioning a network that otherwise would not have been. I don't think one will hear from MIT, given that. But Steve and Ches and Dave Presotto at Bell, and Brian Reid and others at DEC, were doing the partitioning thing in the late 1980's and 1990. Right? -- Joe Yao --- This message is not an official statement of OSIS Center policies.
Re: mail service with no mx (was - Re: Computer systems blamed for feeble hurricane response?)
Joseph S D Yao <[EMAIL PROTECTED]> writes: > Dave, > > I think the mail gateways back when the various networks were being put > together into an internet had as their functional purpose unifying > disparate networks. On the contrary, a firewall has as its purpose > partitioning a network that otherwise would not have been. When ARPA and MILNET were segmented in 1984, there were (Fuzzball-based IIRC) mail gateways between the two networks. The intended purpose of these devices was to restrict inter-network traffic to only email between two networks that were formerly one, so they're best looked at as a policy enforcement tool rather than a unifier the same way that, say, WISCVM.BITNET or ...!uunet!... was. It's not clear to me whether they were simply packet filters or actual application level gateways (given the capabilities of the fuzzball, my inclination is to think the former, but it's still worth taking note of). Besides, I was in high school at the time; it's not as if I had anything to do with the actual implementation. Those of a historical mind are encouraged to read Request For Kludges 821 - SMTP Polymorph Command: http://www.ibiblio.org/pub/docs/humor/fionavar/rfk_821 You may also find this interesting (particularly "On the Undesirability of 'Mail Bridges' as a Security Measure" by the late Mike Muuss); "walled garden" complaints and griping about gratuitously hosing the end-to-end model far predate the last decade and the lossage imparted by NAT: http://www.scatteredsheep.com/darpa-arpa-internet.htm > I don't think one will hear from MIT, given that. As much time as I've spent hanging out at MIT over the years, I don't count. ;-) ---Rob
Re: mail service with no mx (was - Re: Computer systems blamed for feeble hurricane response?)
In message <[EMAIL PROTECTED]>, Joseph S D Yao writes : > >On Tue, Sep 13, 2005 at 11:09:54PM -0700, Dave Crocker wrote: > >I think the mail gateways back when the various networks were being put >together into an internet had as their functional purpose unifying >disparate networks. On the contrary, a firewall has as its purpose >partitioning a network that otherwise would not have been. I don't >think one will hear from MIT, given that. > >But Steve and Ches and Dave Presotto at Bell, and Brian Reid and others >at DEC, were doing the partitioning thing in the late 1980's and 1990. >Right? > Right, but Seastrom is correct. If you read the old TCP/IP Transition Handbook, you'll see that it talks about shutting off connectivity to MILNET and running mailbridges instead. What's unclear to me is how much of that was every built, but the intent was quite clear. I regard that as the first TCP/IP application firewall, vintage around 1981. --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Re: mail service with no mx (was - Re: Computer systems blamed for feeble hurricane response?)
On Wed, Sep 14, 2005 at 08:26:54PM -0400, Robert E.Seastrom wrote: ... > When ARPA and MILNET were segmented in 1984, there were > (Fuzzball-based IIRC) mail gateways between the two networks. ... I hadn't thought back to that. From what I remember of the intent, and the little I knew about the intended design, they would qualify. But ... did the full intended partitioning ever happen? That I don't remember, I was working on a kind of isolated network at the time. ;-) -- Joe Yao --- This message is not an official statement of OSIS Center policies.
