From proff Tue Aug 13 10:36:39 1996 Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id KAA12000 for best-of-security; Tue, 13 Aug 1996 10:36:39 +1000 Received: from relay3.UU.NET (relay3.UU.NET [192.48.96.8]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id KAA11607 for ; Tue, 13 Aug 1996 10:32:01 +1000 Received: from miles.greatcircle.com by relay3.UU.NET with ESMTP (peer crosschecked as: miles.greatcircle.com [198.102.244.34]) id QQbcmz29653; Mon, 12 Aug 1996 20:24:49 -0400 (EDT) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id QAA14267 for firewalls-outgoing; Mon, 12 Aug 1996 16:48:24 -0700 (PDT) Received: (mcb@localhost) by miles.greatcircle.com (8.7.4/Miles-951221-1) id QAA14248 for firewalls@greatcircle.com; Mon, 12 Aug 1996 16:48:18 -0700 (PDT) Received: from ns2.eds.com ([199.228.142.78]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id MAA17671 for ; Mon, 12 Aug 1996 12:53:59 -0700 (PDT) Received: by ns2.eds.com (hello) id PAA05745; Mon, 12 Aug 1996 15:53:56 -0400 Received: from kocrsv04.delcoelect.com (kocrsv04.delcoelect.com [144.250.100.205]) by nnsp.eds.com (8.7.5/8.7.3) with ESMTP id PAA18238 for ; Mon, 12 Aug 1996 15:53:26 -0400 (EDT) Received: from kocrsw07.delcoelect.com (kocrsw07.delcoelect.com [144.250.106.13]) by kocrsv04.delcoelect.com (8.7.5/8.7.3) with SMTP id OAA13537 for ; Mon, 12 Aug 1996 14:53:25 -0500 (EST) Received: by kocrsw07.delcoelect.com (SMI-8.6/SMI-SVR4) id OAA08559; Mon, 12 Aug 1996 14:53:23 -0500 From: "Steve Lodin" Message-Id: <9608121453.ZM8557@kocrsw07.delcoelect.com> Date: Mon, 12 Aug 1996 14:53:23 -0500 X-URL: http://www.cs.purdue.edu/people/swlodin X-Face: Mx\#!$C!&CSez|Z]d^0t`P#ZJlPoyC#zJN;#4nwe8h4-rnXL-2>=!if`{Pi-*s^"vRs}SK]oA(n<(QS:gHZ%CX+Kq~It<%Glg~r_mv2*-l]x+19x*wHC]ON}`47?]4{9>^w^S~/JxeEF!npYd1CLIp@}fA6|L~A:rBAuLlkfoQ~SlAIZsIkTrqFw5$uN4#P^Tga+BLOg X-Mailer: Z-Mail (3.2.1 10oct95) To: firewalls@greatcircle.com Subject: USENIX Symposium Firewalls BOF Notes Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: proff Precedence: bulk Firewall BOF - Tuesday July 23, 1996 Brent Chapman - Great Circle Associates - Referee Introductory Material -------------------------- Firewalls Mailing List - send "subscribe firewalls [address]" to majordomo@greatcircle.com or check http://www.greatcircle.com/firewalls/. 4550 main list, 4126 fw-digest, readership estimated at 15-20 K US - 2/3 readership Top domains - com, edu, net au Questions ------------ Q: When you install a proxy firewall without sendmail, what sendmail proxies/replacements running on FW can do LHS and RHS hacking. A: smap eventually hands things off to sendmail anyway Q: What services are necessary for the next generation proxies? IMAP? A: SQL*Net, Lotus Notes A: Steve Bellovin makes the point of asking yourself why you want to pass complicated protocols thru proxies like this. A: Send email to carson@lehman.com to work on IMAP proxy. Q: Audience experiences with penetration analysis? Hiring someone else to try penetration testing. A: Saved time although some test seemed cookbook that they could have done themselves if they had time. A: Brent - How good and how honest are the people you hire. People that are good at breaking into systems have different mind sets than people who are good at defending systems. A: Steve - A lot depends on your type of service. Application gateway only doing three services won't pay to test. A: Brent - Using it for automated audits to check things like configuration. It only tells you what you test. A: Brent - Packet sniffer on the inside looking for things the firewall is supposed to block and sending alarms. Try tcpdump or etherfind or snoop. A: Steve - Look for strange addresses - means uncontrolled portion of your net or a leak in your firewall. A: Brent - Check routing tables for unkown networks. Q: Users require X. Only know about SSH or Xforward. Any safe way to do X? A: Brent - (Lists problems with X server access) Mitre paper in last year's USENIX Security Symposium. After allowing connection, you trust all connections from that end. A: Possibility of X server monitor A: xnest is a neat application Q: Useful encryption for dial-in for both Suns and Pcs? A: Hughes Netlock. A: SSH which might not work for his application. A: Encrypting modems A: Steve - IPSEC should be available soon. A: SKIP might be solution that is available now. Q: How to handle remote connections where the remote end might be compromised. A: Fred Avolio - SWIPE based, separate encryption and strong user authentication A: Steve - Don't think there is a general answer. A: Carson - Drafted a policy to address remote access from home with known configurations and a higher level of assurance. Different classes of machines, known vs. unknown. Q: How do you determine if the box at the other end of the PPP connection isn't a router? A: Steve - Don't allow routing protocols through PPP connections A: Brent - Assume the connection has a network. (Describes problems with dual career couples in the Bay Area with in home LANs that route between companies.) A: Tough decision on whether to put the terminal servers on the inside or outside of the firewall. A: Fred - Suggest that anyone coming from the outside is on the outside of the security perimeter. Authenticate, then allow services based on their identity. Recommend that terminal servers be put on the outside of the firewall. A: Jim Duncan - More than one firewall is now the norm. Q: Anyone comment on Cisco PIX box? A: Steve - Fundamental conflict between NAT and encryption. Can't do end-to-end security (like DNS). Q: How to treat SMTP, using smap on FW or proxying? A: If you are going to run smap, make sure you patch (check FW archives). Q: How many people running stuff other than IP thru/around firewall. A: IPX tunnel thru IP thru firewall A: Decnet around firewall. Q: Implementations of VPN for European. A: BSDI IPSEC being done Greece. Q: How many using SSH to tunnel into firewall for administrative purposes? A: A couple. Discussion about MD5 and S/key. S/key attacks and MD5 potential problems. Schneier may have new results on MD5 (in)security. Q: Anything better? A: SHA or RIPEM-160. Q: Does Tripwire support SHA? A: Don't think so. Q: Firewalls for ATM? A: Christoph Schuba is doing research for Xerox and the Purdue University COAST Project. A: Address filtering will be less doable in IPv6. IPv6 can autorenumber. Q: Has IETF addressed encryption for export? A: IAB did make a statement. IETF specify techically sound protocols and let politicians worry about it. Q: SQL*Net transactions thru firewall and doing audit/control? A: No, only tunneling. A: SAP and D&B internet clients will probably need this. A: Every DB vendor has their own proprietary SQL format. Q: NCSA Firewall Certification A: Anything resembling a firewall will pass the certification basically. A: 80% of compromises due to misconfiguration or misunderstandings. 80% of support calls are DNS, sendmail, and routing issues for TIS. A: No plug and play firewalls. Even the most advanced firewalls can still be misconfigured. A: Customers asking vendors for the capability to misconfigure their firewall. Brand new DNS patches from Sun update to BIND 4.9.3 with BIND 4.9.4 validation code for Sol2. Q: What to do about organization which says that since we have a firewall we don't need to worry about internal security? A: Some companies will place trust on inside employees and feel that the risk is worth it. A: Fred - some companies think that a firewall will protect them from everything, takes education. (Ran out of battery on the notebook at this point. Hopefully Rik can offer his notes to finish the session.) Steve Lodin -- Steve Lodin - Delco Electronics - swlodin@delcoelect.com - (317)451-0479 "Too many issues, not enough time." -- Tony Powers