RE: Secure desktop idea?
From: Robert Clark (rclark@texascellular.com)Date: 11/05/01
- Previous message: Chris Chandler: "RE: Activity Software"
- In reply to: vertigo: "Re: Secure desktop idea?"
- Next in thread: Gediminas Grigas: "Re[2]: Secure desktop idea?"
- Next in thread: Hanna, Basem: "RE: Secure desktop idea?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Robert Clark" <rclark@texascellular.com> To: "'vertigo'" <vertigo@panix.com>, "'John Oliver'" <john.oliver@hosting.com> Subject: RE: Secure desktop idea? Date: Mon, 5 Nov 2001 11:25:51 -0600 Message-ID: <000f01c1661e$f4e895e0$fdfea8c0@ISDesktop>
I think the point here is that somewhere on your network, you have to
have routing tables stored, or you are creating more problems than you
solve. The best possible solution to block your existing network from
prying eyes is to NAT it through a separate server (*NIX, etc.) or a
physical firewall internet appliance of some sort. This you can setup
and it will allow your users out, their requests in (the ones you allow)
and your intranet is effectively shielded from the outside world*.
*[This is not necessarily an all inclusive deal, it could still be
compromised, albeit not easily. What it SHOULD do is keep the script
kiddies out, and make it fairly difficult for experienced hackers to get
in.]
Robert Clark
MCSE, MCP+I, MCP, A+
MIS - Texas Cellular
> -----Original Message-----
> From: vertigo [mailto:vertigo@panix.com]
> Sent: Thursday, November 01, 2001 11:43 AM
> To: John Oliver
> Cc: security-basics@securityfocus.org
> Subject: Re: Secure desktop idea?
>
>
>
> On Tue, 30 Oct 2001, John Oliver wrote:
> > A thought just occurred to me... desktop systems (and even some
> > servers) could be almost completely secure if there was a way to
> > dynamically allocate and de-allocate routes. If your system has no
> > default route, it ought to be safe from any TCP-based attack. If
> > routes to remote networks could be dynamically added as needed, and
> > then removed, it seems that it would be virtually impossible for an
> > outsider to even see that the host exists, let alone be
> able to root
> > it.
> >
> > Ideas? Am I just way off the deep end here? :-)
>
> Interesting idea. A few comments/questions:
>
> 1) It sounds like a lot of overhead.
> 2) It sounds a bit like NAT.
> 3) How would you communicate with other hosts on the internet
> if there is no route to yours?
> 4) Does "as needed" mean when a connection is attempted _to_ a host
> on this non-routable network, or when a connection is made
> _from_ it
> to a host outside of said network?
> 5) If "as needed" means a connection _to_ it, how is it any
> different than
> the existing framework with some additional overhead?
> (I'm not a TCP/IP
> guru by any stretch of the imagination.)
> 6) If "as needed" means a connection _from_, do all the hosts
> on such a
> network become temporarily exposed, or just that single
> host? (I think
> I'm confusing myself now and just being argumentative.)
> 7) The host is exposed when it is added to the routing table
> and the whole
> system falls apart.
>
> Where's that copy of TCP/IP Illustrated... :)
>
> vertigo
>
>
- Previous message: Chris Chandler: "RE: Activity Software"
- In reply to: vertigo: "Re: Secure desktop idea?"
- Next in thread: Gediminas Grigas: "Re[2]: Secure desktop idea?"
- Next in thread: Hanna, Basem: "RE: Secure desktop idea?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
