-------- From academic-firewalls-owner@net.tamu.edu Sun Nov 20 16:22:41 1994 X-Sender: econrad@it In-Reply-To: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Date: Sun, 20 Nov 1994 17:16:42 -0500 (EST) From: Eric Conrad Reply-To: academic-firewalls@net.tamu.edu To: academic-firewalls@net.tamu.edu Subject: Re: Multiple interfaces with netwatch > So what is netwatch and where can one get a copy? (Solaris 2.3) It's part of netlog and available from net.tamu.edu in /pub/security/TAMU. From the README: netlog 1.2 -- January 5, 1994 These directories contain a TCP and UDP traffic logging system. These programs are a part of the network security system used by Texas A&M University. It can be used for locating suspicious network traffic. The following programs are included: tcplogger - Log all TCP connections on a subnet udplogger - Log all UDP sessions on a subnet extract - Process log files created by tcplogger or udplogger netwatch - Realtime network monitor All three programs require an ANSI C compiler. Tcplogger and udplogger use the SunOS 4.x Network Interface Tap (nit) or SunOS 5.x Data Link Provider Interface (DLPI). -------- From academic-firewalls-owner@net.tamu.edu Thu Nov 24 20:55:40 1994 Organization: Auckland Institute of Technology X-Mailer: Pegasus Mail v3.21 Date: Fri, 25 Nov 1994 15:49:18 GMT+1200 From: "Mark Wilson" Reply-To: academic-firewalls@net.tamu.edu To: academic-firewalls@net.tamu.edu Subject: Internet Access Management I am forward the following request on behalf of a colleague at Christchurch Polytechnic. While his request is not precisely a classical firewall, it embodies a lot of the characteristics of an Internet gateway. There must surely be other institutions besides New Zealand ones who are having to grapple with restricting (and logging) IP traffic from PCs on their LANs to the Internet without the presence of Unix boxes. Regards, Mark Wilson. Information Technology Group, Auckland Institute of Technology, + 649 3079999 x 8402 Fax: +649 3079901 Private Bag 92006, Auckland New Zealand. - ------- Forwarded Message Follows ------- From: "Derham McAven" To: "CIT: Polytechnic CSC Managers List" Subject: Internet Access Management Date sent: Wed, 16 Nov 1994 15:34:23 GMT+1200 Send reply to: poly-mgr@csc.cit.ac.nz I have identified in discussions with various Poly Computer Managers/experts ( not sure if that's mutually exclusive ) around the country the need for a mechanism to control/manage access by students to the Internet. We recognise the desirability of having free student access but do not believe this can be sustained as part of the overheads, especially when the growth in uses such as Mosaic, WWW, cuseeme really gather momentum. The concept is to have a TOLLGATE - (name registered) which sits astride the Internet connection and only allows traffic which has an authorisation. This is implemented in a variety of ways in larger machine sites but there does not appear to be anything that operates in a Novell only environment which is what many of us need. The simple concept is that there be a monitoring of traffic and that the analysis of that traffic register volumes against threshholds. There would be different threshholds for different categories of user. Below the threshhold the charge might be X dollars per megabyte ( within other parameters ) and above the threshhold the fee would be Y dollars per threshhold. A given site might set X=0 and allow "free" or uncharged access for low levels and kick in with a full cost-recovery Y at some higher level. I presume arrangements would be made for staff "charging" to budget accounts. Thanks to Kerry Koppert, I have the concept of how this might work. There would be a NLM ( or equivalent running on each file server ) on the internal network - call it TOLLPASS. Whenever a user wished to use the internet gateway they would have to log in and then request a key from TOLLPASS. TOLLPASS would then create an encrypted token and pass it to the TOLLGATE unit. That token would include the Novell userid AND the current IP address of the user and create an entry in the dynamic list of active users. TOLLGATE would then accumulate traffic stats for each active user which would in turn be passed at intervals to the account management module which would massage the data according to the Business rules of the site. This description may lack rigour but it seems to strike a chord with those I speak to. .............................. Cheers Derham McAven Manager, Computing Resource Centre Christchurch Polytechnic Box 22-095 Christchurch NEW ZEALAND Clean and Green! ph. 64-3-379-8150 FAX 64-3-366-6544 -------- From academic-firewalls-owner@net.tamu.edu Fri Nov 25 16:15:58 1994 In-Reply-To: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII content-length: 3995 Date: Fri, 25 Nov 1994 18:07:43 -0400 (AST) From: Steve MacLeod Reply-To: academic-firewalls@net.tamu.edu To: academic-firewalls@net.tamu.edu Subject: Re: Internet Access Management Hmmm, I could use some of this access control myself for our student internet access, we use Novell and Unix (SUN Solaris 2.3) , which products are available ? Thanks - -------------------------------------------------------------------- Steve MacLeod Microcomputer Specialist (902)539-5300x625 Computer Centre University College of Cape Breton Sydney, N.S. Fax (902)562-0119 Canada B1P 5S2 On Fri, 25 Nov 1994, Mark Wilson wrote: > > I am forward the following request on behalf of a colleague at > Christchurch Polytechnic. While his request is not precisely a > classical firewall, it embodies a lot of the characteristics of an > Internet gateway. There must surely be other institutions > besides New Zealand ones who are having to grapple with > restricting (and logging) IP traffic from PCs on their LANs to the > Internet without the presence of Unix boxes. > > Regards, > Mark Wilson. > > Information Technology Group, Auckland Institute of Technology, > + 649 3079999 x 8402 Fax: +649 3079901 Private Bag 92006, Auckland > New Zealand. > > ------- Forwarded Message Follows ------- > > From: "Derham McAven" > To: "CIT: Polytechnic CSC Managers List" > Subject: Internet Access Management > Date sent: Wed, 16 Nov 1994 15:34:23 GMT+1200 > Send reply to: poly-mgr@csc.cit.ac.nz > > I have identified in discussions with various Poly Computer > Managers/experts ( not sure if that's mutually exclusive ) around the > country the need for a mechanism to control/manage access by students > to the Internet. We recognise the desirability of having free student > access but do not believe this can be sustained as part of the > overheads, especially when the growth in uses such as Mosaic, WWW, > cuseeme really gather momentum. > > The concept is to have a TOLLGATE - (name registered) which sits > astride the Internet connection and only allows traffic which has an > authorisation. This is implemented in a variety of ways in larger > machine sites but there does not appear to be anything that operates > in a Novell only environment which is what many of us need. > The simple concept is that there be a monitoring of traffic and that > the analysis of that traffic register volumes against threshholds. > There would be different threshholds for different categories of > user. Below the threshhold the charge might be X dollars per megabyte > ( within other parameters ) and above the threshhold the fee would be > Y dollars per threshhold. A given site might set X=0 and allow "free" > or uncharged access for low levels and kick in with a full > cost-recovery Y at some higher level. I presume arrangements would be > made for staff "charging" to budget accounts. > > Thanks to Kerry Koppert, I have the concept of how this might work. > There would be a NLM ( or equivalent running on each file server ) on > the internal network - call it TOLLPASS. Whenever a user wished to use the internet > gateway they would have to log in and then request a key from > TOLLPASS. TOLLPASS would then create an encrypted token and pass it > to the TOLLGATE unit. That token would include the Novell userid AND > the current IP address of the user and create an entry in the dynamic > list of active users. TOLLGATE would then accumulate traffic stats > for each active user which would in turn be passed at intervals to > the account management module which would massage the data according > to the Business rules of the site. > > This description may lack rigour but it seems to strike a chord with > those I speak to. > > .............................. > > Cheers Derham McAven > > Manager, Computing Resource Centre > Christchurch Polytechnic > Box 22-095 > Christchurch > NEW ZEALAND Clean and Green! > ph. 64-3-379-8150 FAX 64-3-366-6544 > -------- From academic-firewalls-owner@net.tamu.edu Fri Nov 25 16:33:05 1994 In-Reply-To: from "Steve MacLeod" at Nov 25, 94 06:07:43 pm X-Mailer: ELM [version 2.4 PL23] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 1702 Date: Fri, 25 Nov 1994 14:27:15 -0800 (PST) From: Peter Van Epp Reply-To: academic-firewalls@net.tamu.edu To: academic-firewalls@net.tamu.edu Subject: Re: Internet Access Management > > > Hmmm, I could use some of this access control myself for our student > internet access, we use Novell and Unix (SUN Solaris 2.3) , which > products are available ? > > Thanks > -------------------------------------------------------------------- > Steve MacLeod Microcomputer Specialist (902)539-5300x625 > Computer Centre University College of Cape Breton > Sydney, N.S. Fax (902)562-0119 Canada B1P 5S2 > Since all of our students automatically have Unix accounts on our Unix hosts, we use the Novell servers (now days backed by our campus router) to restrict the PCs behind the Novell server to connecting only to local hosts. To get out to the Internet they have to log in to one of our Unix hosts and then go out to the Internet (the access is logged on the Unix host). We have a system that permits the Novell server to ask for the password salt for an account, then use that to encrypt the user's password and send the entry to a daemon on a Unix host that gives a "yes" or "no" answer to whether the password is correct or not (it works this way to prevent password guessing attacks from the Novell clients). However for whatever reason it is not reliable and we are not currently allowing those machines direct access to the net. Again, this scheme depends on the fact that we automatically issue accounts to everyone on request, so everyone authorized to use the machines has an account available so your milage may vary, depending on your account creation policies and degree of automation (with 25,000 accounts, ours is automated). Peter Van Epp / Operations and Technical Support Simon Fraser University, Burnaby, B.C. Canada -------- From academic-firewalls-owner@net.tamu.edu Fri Nov 25 22:49:30 1994 In-Reply-To: from "Steve MacLeod" at Nov 25, 94 06:07:43 pm X-Mailer: ELM [version 2.4 PL24alpha3] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 994 Date: Sat, 26 Nov 1994 02:58:12 +0000 (GMT) From: Steve Kennedy Reply-To: academic-firewalls@net.tamu.edu To: academic-firewalls@net.tamu.edu Subject: Re: Internet Access Management According to Steve MacLeod > Hmmm, I could use some of this access control myself for our student > internet access, we use Novell and Unix (SUN Solaris 2.3) , which > products are available ? Checkout the KarlBridge/KarlBrouter. The lastest version has an authenticated break-out facility. Please email sales@gbnet.com or sales@karlnet.com or look at http://www.demon.co.uk/kbridge/ This will also give access to the shareware/demo version (share with your colleagues - no fee invloved) which will give a feel for the commercial version. Regards Steve - -- ___ |_ ___ ___ Flat 2, 43 Howitt Road (___ | (___) \ / (___) Belsize Park ___) | (___ \/ (___ London NW3 4LU [MIME OK] tel +44-(0)171 483 1169 steve@gbnet.{com,org,net} home (or steve@tel.net) steve@marvin.demon.co.uk Demon Internet Dial-up WWW http://www.demon.co.uk/subscribers/m/marvin/ UNIX/Networking Consulting steve@NetTek.co.uk