[ previous ] [ next ] [ threads ]
 
 From:  "Brandon Holland" <brandon at cookssaw dot com>
 To:  "'Mitch \(WebCob\)'" <mitch at webcob dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  [m0n0wall] Sorry Mitch
 Date:  Tue, 30 Dec 2003 23:29:37 -0600
Sorry Mitch,

I thought I was pretty close to on topic there.  From what I understood
in your message you were looking for a good Ident that was similar to
the type of ident certain windows firewall titles such as ZoneAlarm use.

Realizing that your idea wasn't fully feasible and believing that,
generally speaking, rejecting could be better), I gave my (and Falcon
did his) idea on what kind of ident solution is possible.

At any rate, I'm new to this mailing list thing. (I'm just a lowly
network admin) I'm probably not fully "up" on mailing list netiquette.

If you'd like to direct me to something to read, I'd be happy to.  What
exactly is "hijacking a thread"?

Anyway, next time it comes my way (assuming it does), I'll change the
subject.

Thanks for your understanding,
Brandon

-----Original Message-----
From: Mitch (WebCob) [mailto:mitch at webcob dot com] 
Sent: Tuesday, December 30, 2003 10:54 PM
To: Brandon Holland; 'Falcor'
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] windows built in "ident"...

still wondering why you guys hijacked my thread?

Start a new thread for new discussion please.

Makes it harder for everyone to follow when you do this, and decreases
the
chance you will get a response.

Thanks.

m/

-----Original Message-----
From: Brandon Holland [mailto:brandon at cookssaw dot com]
Sent: Tuesday, December 30, 2003 1:18 PM
To: 'Falcor'
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] windows built in "ident"...


Everything that examines a packet is potentially a security risk.

Since I don't need to give an ident response (just a reset packet), I'd
hate taking the (albeit minimal) risk.

The PERL script or the interpreter could be flawed.  It also takes
overhead to use and interpret it.

To me, besides being a security risk it is a waste of my time (to
configure and maintain), and server resources.  Besides, I don't have an
"extra" server, and I wouldn't want to put a direct port forward (for
perl or any program) straight to my main server.

Port forwards should never go to your "GREEN" connection - only go to
your DMZ.  (That'd defeat the purpose of DMZ)

I'm just saying, I'd rather have the weakest link be the BSD tcp stack
(which I hear is probably the best tcp implementation period) than
something else.

Ideally in my situation, only a select group of IP's get a RESET packet
(IRC servers and the like) Everything else? It'd get dropped.

If I had something that actually needed a "correct" ident response
(maybe there are still some IRC servers out there that must "qualify"
you?) maybe then, if those IRC servers were important, I'd do it. BUT: I
still wouldn't want a port forward straight into my LAN.

Ideally, in that case, it'd be its own separate server in the DMZ.
Assuming your DMZ is well protected (and set up with performance
counters and other "detection" algorithms), you now know, and have time
to correct a flaw (and to kick out a hacker)

I didn't mean to turn this into a rant :) but F.Y.I. even NTP servers as
humble and simple as they are have fallen victim to hackers able to act
upon a flaw in NTP.

Still wanting "rejection,"
Brandon

-----Original Message-----
From: Falcor [mailto:falcor at netassassin dot com]
Sent: Tuesday, December 30, 2003 1:45 PM
To: Brandon Holland
Cc: 'Mitch (WebCob)'; m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] windows built in "ident"...

I use a PERL application that mimics an IDENTd daemon.  I then forward
all identd requests to that unix server.  All my internal clients then
can access IRC and other identd based auth systems with no problems.
 And I don't risk much as the perl script simply replies with what I put

in a text file as the ident info, and not a compramizable component on a

windows box.

Brandon Holland wrote:

>You can allow IDENT based on certain IP's (say if you use a select
group
>of IRC servers)
>
>And if we can add a "REJECT" you don't even have to fully allow ident
>anyway.  (Leave out your IRC app as a possibly hackable component)
>
>-----Original Message-----
>From: Mitch (WebCob) [mailto:mitch at webcob dot com]
>Sent: Tuesday, December 30, 2003 2:43 AM
>To: m0n0wall at lists dot m0n0 dot ch
>Subject: [m0n0wall] windows built in "ident"...
>
>this may not be in here yet... maybe it's not easy... but if someone
>could
>point me in the right direction that would be a start...
>
>Other firewalls support passing requests made by certain
applications...
>zone alarm or black ice for example - and the parts they have
integrated
>with linksys routers... can detect a bogus HTTP request generated by a
>program OTHER THAN Internet Explorer (like by a virus or a messenger
>program
>trying to circumvent the firewall) and shut them down...
>
>They are able to detect the NAME of the application initiating the
>request...
>
>I'm thinking this is parallel to identd, but seems to be built into
>windows... Does anyone know what it's called or where the protocol is
>defined? Could be an interesting addition... I'd like to poke around in
>this
>area, but can't find where to start.
>
>Thanks.
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>





---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch