From proff Thu Aug 15 19:34:46 1996 Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id TAA28572 for best-of-security; Thu, 15 Aug 1996 19:34:46 +1000 Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id NAA06237 for ; Thu, 15 Aug 1996 13:50:14 +1000 Received: from relay2.UU.NET (relay2.UU.NET [192.48.96.7]) by pdx1.world.net (8.7.5/8.7.3) with ESMTP id UAA22792 for ; Wed, 14 Aug 1996 20:13:50 -0700 (PDT) Received: from miles.greatcircle.com by relay2.UU.NET with ESMTP (peer crosschecked as: miles.greatcircle.com [198.102.244.34]) id QQbcut01268; Wed, 14 Aug 1996 22:56:09 -0400 (EDT) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id TAA02342 for firewalls-outgoing; Wed, 14 Aug 1996 19:08:39 -0700 (PDT) Received: from crow.spirit.com (pool025.Max6.FFX1.VA.DYNIP.ALTER.NET [205.230.245.89]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with ESMTP id TAA02303 for ; Wed, 14 Aug 1996 19:08:24 -0700 (PDT) Received: (from rik@localhost) by crow.spirit.com (8.7.3/8.7.3) id QAA00297; Wed, 14 Aug 1996 16:37:21 -0700 (MST) Date: Wed, 14 Aug 1996 16:37:21 -0700 (MST) From: Rik Farrow Message-Id: <199608142337.QAA00297@crow.spirit.com> To: firewalls@GreatCircle.COM, swlodin@eng.delcoelect.com Subject: Re: USENIX Symposium Firewalls BOF Notes Sender: proff Precedence: bulk Steve Lodin suggested that I add my notes to the ones he already posted. In regards to MD5, Steve Bellovin mentioned that S/Key only used the lower 64 bits of the 128 bits generated by MD5. Also, that success in finding two inputs which would have the same output involved using fewer iterations of the algorithm. Steve mentioned seeing a hacker tool designed to capture S/Key responses, and a tool named monkey which performs a crack-style search for keys based on bad passwords. Someone else asked if Tripwire supported SHA. The answer was no, [but I'd like to add that combining MD5 with Snefru provides 256 bits, and should be safe for a while.] At the end of Steve's notes, Fred Avolio was making the point that some sites feel that having a firewall, any firewall, makes their site secure against anything (which reminds me of something Bill or Steve said about having a vault for a front door and screen doors in the back). To continue, someone asked about blocking Java at the firewall. Brent mentioned that there have been implementation problems with Java, but no fatal design problems had appeared. [TIS and ANS have announced Java blocking.] Someone else asked about blocking Active-X, but got no direct response. Carson stated that if you allow SSL through your firewall, people can send things through the firewall which are encrypted. For example, a way cool Javascript [sic] that plays strip poker with interesting animation while doing something else. Brent then said "You don't know you are being hosed until it's too late. Tough problem." Someone asked about performance testing. Fred Avolio answered that performance testing can be pruchased, but most people don't know what their usage is or will be. Gaspar Carson suggested recording IP traffic, and playing it back at different speeds. Brent mentioned that application mix may change over time. Carson continued by saying he had seen a test of sendmail which used the same address over and over (no aliasing, DNS lookups, same rewriting each time). Someone asked about highly available firewalls. Carson suggested Veritas, uses round robin DNS to assign connections to multiple firewalls, loss of one host means loss of current TCP connections at worst. [I believe DEC sells a clustered firewall solution also.] Someone asked about gated problems. Carson suggested the gated mailing list. Someone asked about having a Web server on third leg of proxy firewall. Carson suggested using packet filtering in front of Web server on semi-exposed DMZ. At this point, things became quiet enough for Brent to adjourn the BoF. Rik