ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1
Nanog- ISS X-Force release two X-Force Security Advisories this evening detailing high-risk issues in Checkpoint Firewall-1 and VPN-1. Please refer to the following URLs for more information: http://xforce.iss.net/xforce/alerts/id/162 http://xforce.iss.net/xforce/alerts/id/163 ------------------ Daniel Ingevaldson Director, X-Force R&D dsi@iss.net 404-236-3160 Internet Security Systems, Inc. The Power to Protect http://www.iss.net
"Dan" == Ingevaldson, Dan (ISS Atlanta) <dsi@iss.net> writes:
Dan> http://xforce.iss.net/xforce/alerts/id/162 Dan> http://xforce.iss.net/xforce/alerts/id/163 You know, I'm quite allergic to that word "checkpoint". Perhaps I'm completely wrong here, but .. Might be a good idea to deploy openbsd firewalls instead of expensive and buggy stuff like Checkpoint :) Anything which reduces "security" to point and click on a cute web or other GUI interface is dangerous... allows untrained and completely dumb people to brand themselves "firewall admins". Like the "admin" at a now defunct Indian ISP where my former employer had several machines colocated. That idiot basically saw lots of inbound traffic to port 22 on our machines, didn't know what the hell that was, and firewalled port 22 across the ISP's network. Getting locked out of all my ssh sessions, having to drive 20 km to the datacenter, and then having to reset the block myself while my boss was still arguing with the "admin" was kind of an interesting experience, I must say. Yes, his checkpoint management console, running on an unpatched hp/ux 10.2 machine, was up and running, and we just walked right into the NOC to argue with him. That made it quite easy to click the right buttons while the guy stood up to call his supervisor in to try convince us (me and my boss) that yes, he knew what he was doing, he had an MCSE and a CCNA after all, etc. Is there some really good "network security for dummies" book that I can point such people at? Telling them to google doesn't do much good, I fear :( srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
not that I'm a fan of any firewall product in particular, but... On Thu, 5 Feb 2004, Suresh Ramasubramanian wrote:
"Dan" == Ingevaldson, Dan (ISS Atlanta) <dsi@iss.net> writes:
Dan> http://xforce.iss.net/xforce/alerts/id/162 Dan> http://xforce.iss.net/xforce/alerts/id/163
You know, I'm quite allergic to that word "checkpoint". Perhaps I'm completely wrong here, but ..
Might be a good idea to deploy openbsd firewalls instead of expensive and buggy stuff like Checkpoint :)
Anything which reduces "security" to point and click on a cute web or other GUI interface is dangerous... allows untrained and completely
Sure, anything is dangerous in the 'right' (wrong?) hands. Is the fault with the vendor or the person(s) implementing or the 'management' of said person(s)? Even an openbsd firewall is a problem if not properly admin'd.
That idiot basically saw lots of inbound traffic to port 22 on our machines, didn't know what the hell that was, and firewalled port 22 across the ISP's network.
port 22 is bad though, right? Clearly this was the wrong person to be doing this job, he could have just as easily been looking at netflow output and dumped this traffic with an acl on his fancy router... The tool used is immaterial, his level of clue is what is at issue.
while the guy stood up to call his supervisor in to try convince us (me and my boss) that yes, he knew what he was doing, he had an MCSE and a CCNA after all, etc.
there is a dilbert about this very thing ;) "Harness the power of CERTIFICATION!!!"
Is there some really good "network security for dummies" book that I can point such people at? Telling them to google doesn't do much good, I fear :(
Nope, but pointing out their failures in a sensible manner to their management is helpful... sometimes atleast :( Failing any action there the whole group is just shooting themselves in the foot and there isn't much you can do about that, is there? (except to get out of the blast radius)
Christopher L. Morrow [2/5/2004 10:45 PM] :
Sure, anything is dangerous in the 'right' (wrong?) hands. Is the fault with the vendor or the person(s) implementing or the 'management' of said person(s)? Even an openbsd firewall is a problem if not properly admin'd.
of course, but you do have to contend with the fact that it takes at least some amount of IQ beyond the point and click level to fire up vi and use a command line interface. :) Neal Stephenson's "in the beginning was the command line" is an interesting take on this, I think.
Nope, but pointing out their failures in a sensible manner to their management is helpful... sometimes atleast :( Failing any action there the whole group is just shooting themselves in the foot and there isn't much you can do about that, is there? (except to get out of the blast radius)
Actually, the problem is that when dealing with a bunch of know it alls like that, even waving manufacturer's documentation in front of them doesn't really help Like my friend's cable ISP, that recently turned on "smtp fixup" on a cisco pix on port 25 across their entire network. He's got a static IP, runs linux + postfix, and is still left with a completely crippled mailserver (no AUTH, no TLS, no ESMTP ...) thanks to this. Waving cisco docs at them doesn't seem to have helped at all. [Moving is tough, they are the only broadband in the bangalore suburb where he lives] -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Checkpoint is a very strange brand. On the one hand, it is _well known brand_, _many awards_, _editors choice_, etc etc. I know network consultant, who installed few hundred of them, and it works. On the other hand, every time, when I have a deal with this beasts (we do not use them, but some our customers use), I have an impression, that it is the worst firewall in the world: - for HA, you need very expansive Solaris cluster (compare with PIX-es) /I can be wrong, but it is overall opinion/. - to change VPN, you must reapply all policy, causing service disruption (I saw 1 day outage due to unsuccesfull Checkpoint reconfiguration); - VPN have numerous bugs (it is not 100% compatible with Cisco's by default; of couse, I can blame Cisco, but Checkpoint is _the only_ one of my peers which have this problem); - Configuration is not packed in 1 single file, so making difficult change control, etc etc... All this is _very_ subjective, of course; but - those customers, who uses Checkpoints, are the only ones who had a problems with firewalls. If I compare it with plain, reliable and _very simple_ PIX (PIX is not state of art, of course) and some others... I begin to think about checkpoint as about one more _brand bubble_. At least, I always advice _against_ it. PS. Security for dummies... interesting idea. Unfortunately, this book should start with _100% secure computer = dead computer_ -:) Why not? People really need such book! ----- Original Message ----- From: "Suresh Ramasubramanian" <suresh@outblaze.com> To: <nanog@merit.edu> Sent: Thursday, February 05, 2004 8:56 AM Subject: Re: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1
"Dan" == Ingevaldson, Dan (ISS Atlanta) <dsi@iss.net> writes:
Dan> http://xforce.iss.net/xforce/alerts/id/162 Dan> http://xforce.iss.net/xforce/alerts/id/163
You know, I'm quite allergic to that word "checkpoint". Perhaps I'm completely wrong here, but ..
Might be a good idea to deploy openbsd firewalls instead of expensive and buggy stuff like Checkpoint :)
Anything which reduces "security" to point and click on a cute web or other GUI interface is dangerous... allows untrained and completely dumb people to brand themselves "firewall admins". Like the "admin" at a now defunct Indian ISP where my former employer had several machines colocated.
That idiot basically saw lots of inbound traffic to port 22 on our machines, didn't know what the hell that was, and firewalled port 22 across the ISP's network.
Getting locked out of all my ssh sessions, having to drive 20 km to the datacenter, and then having to reset the block myself while my boss was still arguing with the "admin" was kind of an interesting experience, I must say.
Yes, his checkpoint management console, running on an unpatched hp/ux 10.2 machine, was up and running, and we just walked right into the NOC to argue with him. That made it quite easy to click the right buttons while the guy stood up to call his supervisor in to try convince us (me and my boss) that yes, he knew what he was doing, he had an MCSE and a CCNA after all, etc.
Is there some really good "network security for dummies" book that I can point such people at? Telling them to google doesn't do much good, I fear :(
srs
-- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
Alexei Roudnev wrote:
Checkpoint is a very strange brand. On the one hand, it is _well known brand_, _many awards_, _editors choice_, etc etc. I know network consultant, who installed few hundred of them, and it works.
On the other hand, every time, when I have a deal with this beasts (we do not use them, but some our customers use), I have an impression, that it is the worst firewall in the world: - for HA, you need very expansive Solaris cluster (compare with PIX-es) /I can be wrong, but it is overall opinion/. - to change VPN, you must reapply all policy, causing service disruption (I saw 1 day outage due to unsuccesfull Checkpoint reconfiguration); - VPN have numerous bugs (it is not 100% compatible with Cisco's by default; of couse, I can blame Cisco, but Checkpoint is _the only_ one of my peers which have this problem); - Configuration is not packed in 1 single file, so making difficult change control, etc etc...
All this is _very_ subjective, of course; but - those customers, who uses Checkpoints, are the only ones who had a problems with firewalls. If I compare it with plain, reliable and _very simple_ PIX (PIX is not state of art, of course) and some others... I begin to think about checkpoint as about one more _brand bubble_. At least, I always advice _against_ it.
PS. Security for dummies... interesting idea. Unfortunately, this book should start with _100% secure computer = dead computer_ -:) Why not? People really need such book!
Of course 'back in days' when Firewall-1 started and firewalls@greatcircle.com was *the* network security ML, PIX was an utter pile of poo and F-1 was very nice thankyou. Now PIX is quite good, and Firewall-1 has become the Microsoft of firewalls - ie everywhere and not particularly well administratored. Interesting how things change isn't it? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **********************************************************************
Martin Hepworth wrote:
Alexei Roudnev wrote:
Checkpoint is a very strange brand. On the one hand, it is _well known brand_, _many awards_, _editors choice_, etc etc. I know network consultant, who installed few hundred of them, and it works.
On the other hand, every time, when I have a deal with this beasts (we do not use them, but some our customers use), I have an impression, that it is the worst firewall in the world: - for HA, you need very expansive Solaris cluster (compare with PIX-es) /I can be wrong, but it is overall opinion/. - to change VPN, you must reapply all policy, causing service disruption (I saw 1 day outage due to unsuccesfull Checkpoint reconfiguration); - VPN have numerous bugs (it is not 100% compatible with Cisco's by default; of couse, I can blame Cisco, but Checkpoint is _the only_ one of my peers which have this problem); - Configuration is not packed in 1 single file, so making difficult change control, etc etc...
All this is _very_ subjective, of course; but - those customers, who uses Checkpoints, are the only ones who had a problems with firewalls. If I compare it with plain, reliable and _very simple_ PIX (PIX is not state of art, of course) and some others... I begin to think about checkpoint as about one more _brand bubble_. At least, I always advice _against_ it.
PS. Security for dummies... interesting idea. Unfortunately, this book should start with _100% secure computer = dead computer_ -:) Why not? People really need such book!
Of course 'back in days' when Firewall-1 started and firewalls@greatcircle.com was *the* network security ML, PIX was an utter pile of poo and F-1 was very nice thankyou.
Now PIX is quite good,
Is it still very counter intuitive to set up a PIX to _not_ do the eevul NAT? Is the PIX no longer PeeCee hardware underneath (I know they got rid of the HDD) so not as to bring NOs down to the level of the great unwashed throngs of desktop users?
and Firewall-1 has become the Microsoft of firewalls - ie everywhere and not particularly well administratored.
Interesting how things change isn't it?
At least Checkpoint had the sense to kill the FWZ VPN protocol early and go with IPsec. More than I can say for M$. Not that IPsec interoperability is fully realized. Checkpoint has its own proprietary icky tricks to try to sneak IPsec through NAT just like every other commercial vendor. But Checkpoint admins are worst part, "I check the box to use IKE VPN but someone said that uses the ESP service. Which port number is that? I read port 50 somewhere, but should I make it a TCP or UDP service?" The Checkpoint feature/bug that frustrates me is at the GUI level there is no association between a rule and an interface. To cover up this problem, there is the automatic "anti-spoofing" feature which is a bitch, if not impossible, to properly configure for a complicated topology. -- Crist J. Clark crist.clark@globalstar.com Globalstar Communications (408) 933-4387
Is it still very counter intuitive to set up a PIX to _not_ do the eevul NAT? Is the PIX no longer PeeCee hardware underneath (I know they got rid of the HDD) so not as to bring NOs down to the level of the great unwashed throngs of desktop users?
Of course, PIX is still a CISCO - this means _configure it by cisco's example and modify, do not write out configuration from the scratch_ (Cisco have a very bold history of different bugs and behaviours, such as 'VoIP requires 'ip routing' on 36xx and 53xx'). But, after all, it works without major problems, and became very easy to manage (I have automatic configuration repository with web interface, CVSWEB archive, and so on - and it always take 1 minute to save config, check config, check changes happen during last week, revert configuration back, even to update PIX OS in redundant environment). For Checkpont owners (we have some legacy in company), it is a very complicated (often impossible) process. Security advisories are another issue, but I'd expect more about Checkpoint, stating that it is based on general OS.
Globalstar Communications (408) 933-4387
On PIX'en and FWSM it is very easy to disable the evil NAT all you need is to enter the "nat 0" command in global configuration mode. This allows the PIX to pass addresses untranslated. The Pixen are still based on intel hardware but to the best of my knowledge they have never had a HDD and I have worked with them since the original PIX and PIX 10000 I attended the initial product announcement seminar they first came out. Scott C. McGrath On Thu, 5 Feb 2004, Crist Clark wrote:
Martin Hepworth wrote:
Alexei Roudnev wrote:
Checkpoint is a very strange brand. On the one hand, it is _well known brand_, _many awards_, _editors choice_, etc etc. I know network consultant, who installed few hundred of them, and it works.
On the other hand, every time, when I have a deal with this beasts (we do not use them, but some our customers use), I have an impression, that it is the worst firewall in the world: - for HA, you need very expansive Solaris cluster (compare with PIX-es) /I can be wrong, but it is overall opinion/. - to change VPN, you must reapply all policy, causing service disruption (I saw 1 day outage due to unsuccesfull Checkpoint reconfiguration); - VPN have numerous bugs (it is not 100% compatible with Cisco's by default; of couse, I can blame Cisco, but Checkpoint is _the only_ one of my peers which have this problem); - Configuration is not packed in 1 single file, so making difficult change control, etc etc...
All this is _very_ subjective, of course; but - those customers, who uses Checkpoints, are the only ones who had a problems with firewalls. If I compare it with plain, reliable and _very simple_ PIX (PIX is not state of art, of course) and some others... I begin to think about checkpoint as about one more _brand bubble_. At least, I always advice _against_ it.
PS. Security for dummies... interesting idea. Unfortunately, this book should start with _100% secure computer = dead computer_ -:) Why not? People really need such book!
Of course 'back in days' when Firewall-1 started and firewalls@greatcircle.com was *the* network security ML, PIX was an utter pile of poo and F-1 was very nice thankyou.
Now PIX is quite good,
Is it still very counter intuitive to set up a PIX to _not_ do the eevul NAT? Is the PIX no longer PeeCee hardware underneath (I know they got rid of the HDD) so not as to bring NOs down to the level of the great unwashed throngs of desktop users?
and Firewall-1 has become the Microsoft of firewalls - ie everywhere and not particularly well administratored.
Interesting how things change isn't it?
At least Checkpoint had the sense to kill the FWZ VPN protocol early and go with IPsec. More than I can say for M$. Not that IPsec interoperability is fully realized. Checkpoint has its own proprietary icky tricks to try to sneak IPsec through NAT just like every other commercial vendor. But Checkpoint admins are worst part, "I check the box to use IKE VPN but someone said that uses the ESP service. Which port number is that? I read port 50 somewhere, but should I make it a TCP or UDP service?"
The Checkpoint feature/bug that frustrates me is at the GUI level there is no association between a rule and an interface. To cover up this problem, there is the automatic "anti-spoofing" feature which is a bitch, if not impossible, to properly configure for a complicated topology. -- Crist J. Clark crist.clark@globalstar.com Globalstar Communications (408) 933-4387
again, not that I care about the vendor in question.. BUT On Thu, 5 Feb 2004, Alexei Roudnev wrote:
Checkpoint is a very strange brand. On the one hand, it is _well known brand_, _many awards_, _editors choice_, etc etc. I know network consultant, who installed few hundred of them, and it works.
On the other hand, every time, when I have a deal with this beasts (we do not use them, but some our customers use), I have an impression, that it is the worst firewall in the world: - for HA, you need very expansive Solaris cluster (compare with PIX-es) /I can be wrong, but it is overall opinion/.
wrong, get nokia's run checkpoint on them, they do VRRP natively, it rocks... does stateful failover so you can't even tell when one dies.
- VPN have numerous bugs (it is not 100% compatible with Cisco's by default; of couse, I can blame Cisco, but Checkpoint is _the only_ one of my peers which have this problem);
this actually works well, provided you config it correctly, there is an example for pix/CP vpn config at: http://www.phoneboy.com/bin/view.pl/FAQs/VPNsBetweenFourOneAndCisco not that phoneboy should be anyone's substitute for support on the cisco or CP side, of course.
- Configuration is not packed in 1 single file, so making difficult change control, etc etc...
right, this is actually a huge problem for MSSP's, having to do everything via a gui is bad :(
At 08:56 AM 2/5/2004, Suresh Ramasubramanian wrote:
Is there some really good "network security for dummies" book that I can point such people at?
A "social" approach is often more effective than the "technical" approach i.e. it is often easier to hack into a secured system via "social hacking". In a similar vein, while I have no idea if it's "good", but I bet it would be satisfying *and* effective (no matter if he actually reads the book or not) to buy a copy and give it to the luser^W idiot ^W NOCling in question: <http://www.cobb.com/chey/Network_Security_for_Dummies.html> You could take a cluebat[1] along when you give it to him. A bit of carrot and stick approach. :-) jc [1] <http://ars.userfriendly.org/cartoons/?id=20030210&mode=classic> UF was actually selling these for a while, unfortunately they are all sold out now.
Checkpoint Firewall-1 HTTP Parsing Format String Vulnerabilities Vendor Notification Schedule: Vendor notified - 2/2/2004 Checkpoint patch developed and made available - 2/4/2004 ISS X-Force Advisory released - 2/4/2004 Checkpoint VPN-1/SecureClient ISAKMP Buffer Overflow Vendor Notification Schedule: Vendor notified - 2/2/2004 Checkpoint patch developed and made available - 2/4/2004 ISS X-Force Advisory released - 2/4/2004 Isn't it curious that two unrelated issues have been reported to CheckPoint at the same day and the patches came out on the same day ? Am I too paranoid, or it seems that CheckPoint had previous knowledge of the bugs and they agreed with ISS which date would be stated as notification to CP to make it appears that a quick response (two days) has been achieved on those issues ? Rubens ----- Original Message ----- From: "Ingevaldson, Dan (ISS Atlanta)" <dsi@iss.net> To: <nanog@merit.edu> Sent: Thursday, February 05, 2004 1:32 AM Subject: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1 Nanog- ISS X-Force release two X-Force Security Advisories this evening detailing high-risk issues in Checkpoint Firewall-1 and VPN-1. Please refer to the following URLs for more information: http://xforce.iss.net/xforce/alerts/id/162 http://xforce.iss.net/xforce/alerts/id/163 ------------------ Daniel Ingevaldson Director, X-Force R&D dsi@iss.net 404-236-3160 Internet Security Systems, Inc. The Power to Protect http://www.iss.net
Rubens Kuhl Jr. wrote:
Checkpoint Firewall-1 HTTP Parsing Format String Vulnerabilities Vendor Notification Schedule: Vendor notified - 2/2/2004 Checkpoint patch developed and made available - 2/4/2004 ISS X-Force Advisory released - 2/4/2004
Checkpoint VPN-1/SecureClient ISAKMP Buffer Overflow Vendor Notification Schedule: Vendor notified - 2/2/2004 Checkpoint patch developed and made available - 2/4/2004 ISS X-Force Advisory released - 2/4/2004
Isn't it curious that two unrelated issues have been reported to CheckPoint at the same day and the patches came out on the same day ? Am I too paranoid, or it seems that CheckPoint had previous knowledge of the bugs and they agreed with ISS which date would be stated as notification to CP to make it appears that a quick response (two days) has been achieved on those issues ?
Uh... yeah, that's how these things are _supposed_ to work. Did you read the ISS advisory? Checkpoint has released an update to address this issue. The update is available at the following address: http://www.checkpoint.com/techsupport/alerts/index.html Vendor Notification Schedule: Vendor notified – 2/2/2004 Checkpoint patch developed and made available – 2/4/2004 ISS X-Force Advisory released – 2/4/2004 ISS X-Force published this Security Advisory in coordination with the affected vendor in accordance to our published Vulnerability Disclosure Guidelines, available at the following address: http://documents.iss.net/literature/vulnerability_guidelines.pdf
----- Original Message ----- From: "Ingevaldson, Dan (ISS Atlanta)" <dsi@iss.net> To: <nanog@merit.edu> Sent: Thursday, February 05, 2004 1:32 AM Subject: ISS X-Force Security Advisories on Checkpoint Firewall-1 and VPN-1
Nanog-
ISS X-Force release two X-Force Security Advisories this evening detailing high-risk issues in Checkpoint Firewall-1 and VPN-1. Please refer to the following URLs for more information:
http://xforce.iss.net/xforce/alerts/id/162 http://xforce.iss.net/xforce/alerts/id/163
------------------ Daniel Ingevaldson Director, X-Force R&D dsi@iss.net 404-236-3160
Internet Security Systems, Inc. The Power to Protect http://www.iss.net
-- Crist J. Clark crist.clark@globalstar.com Globalstar Communications (408) 933-4387 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com
In message <02e501c3ec1f$9a833fe0$020ba8c0@NOTEBOOK>, "Rubens Kuhl Jr." writes:
Isn't it curious that two unrelated issues have been reported to CheckPoint at the same day and the patches came out on the same day ? Am I too paranoid, or it seems that CheckPoint had previous knowledge of the bugs and they agreed with ISS which date would be stated as notification to CP to make it appears that a quick response (two days) has been achieved on those issues ?
Why is that bad? I have no objection to giving vendors a reasonable amount of time to fix problems before announcing the whole. Or is your point that two days hardly seems like enough time to develop -- and *test* -- a fix? --Steve Bellovin, http://www.research.att.com/~smb
My point is that is very unlikely that both bugs had been discovered by ISS within the same time frame. Two days is also little time do develop and test, which raises the suspicion on this issue. I'm not against notification before disclosure, but it seems that the dates on this announcement might have been changed in order to make the solution appear to be developed in very little time. ("See ma, I'm damn fast") Rubens
Why is that bad? I have no objection to giving vendors a reasonable amount of time to fix problems before announcing the whole. Or is your point that two days hardly seems like enough time to develop -- and *test* -- a fix?
--Steve Bellovin, http://www.research.att.com/~smb
On Thu, 05 Feb 2004 14:56:13 EST, "Steven M. Bellovin" said:
Why is that bad? I have no objection to giving vendors a reasonable amount of time to fix problems before announcing the whole. Or is your point that two days hardly seems like enough time to develop -- and *test* -- a fix?
Two days is plenty if it's a Homer Simpson-esque "D'Oh!" bug. Probably not if it's something that requires some regression testing.
Two days is plenty if it's a Homer Simpson-esque "D'Oh!" bug. Probably not if it's something that requires some regression testing.
my memory from some decades in software product world is that *any* change requires regression testing, especially the quick little, "it won't affect anything", changes. randy
On Thu, 05 Feb 2004 14:45:31 CST, "Laurence F. Sheldon, Jr." <larrysheldon@cox.net> said:
Valdis.Kletnieks@vt.edu wrote:
Two days is plenty if it's a Homer Simpson-esque "D'Oh!" bug. Probably not if it's something that requires some regression testing.
All bugs reduse to that, eventually, don't they?
Very few do. Most of the time, the appropriate quote is: "So, there is a curse? That's interesting." -- Captain Jack Sparrow. :)
participants (15)
-
Alexei Roudnev
-
Christopher L. Morrow
-
Crist Clark
-
Ingevaldson, Dan (ISS Atlanta)
-
JC Dill
-
Laurence F. Sheldon, Jr.
-
Martin Hepworth
-
Randy Bush
-
Rubens Kuhl Jr.
-
Scott McGrath
-
Stephen Stuart
-
Steven M. Bellovin
-
Suresh Ramasubramanian
-
suresh@outblaze.com
-
Valdis.Kletnieks@vt.edu