Re: Advanced Security Question
From: Alexander Clouter (alex_at_digriz.junk-this.org.uk)
Date: 08/13/04
- Next message: Abdullah Ramazanoglu: "Re: Advanced Security Question"
- Previous message: Alexander Clouter: "Re: Don't know if SSH was ever designed to do this, but..."
- In reply to: Hammer: "Advanced Security Question"
- Next in thread: Hammer: "Re: Advanced Security Question"
- Reply: Hammer: "Re: Advanced Security Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 13 Aug 2004 13:21:01 -0500
On 2004-08-12, Hammer <hammeraus001@yahoo.com> wrote:
> Please forgive me if this is either a stupid question or will only be
> available sometime in the late 24th century. Here goes...
>
well we all go through this phase....today is your turn :P
> Does anyone know how I would set a switched network to direct ALL
> traffic through a linux box for authorisation, authentication, IDS and
> logging. I could use RADIUS, but I've heard there are some flaws with
> it.
>
> Basically this box is going to check every packet on the network, log
> it, check for "unwanted" activity and/or authorise it. It's going to
> be acting in a super cop role, between clients, secure servers,
> unsecure servers and Internet connection via firewall. Yes - it's a
> firewall and DMZ, but to a greater extent.
>
Its already been mentioned that what you are after is _routing_ and not doing
things by just plugging things into a switch and hoping it all goes through
that.
In practice you have two options in a _switched_ environment, one takes a
passive role whilst the other takes the active one:
passive:
--------
if you have a fancy switch it probably will have something called a 'mirror'
port which more or less shunts all the traffic from the other ports in a hub
fashion down it, this would enable you to run snort and do monitoring of the
network however you would be unable to do anything 'active'
active:
-------
tricky to pull off but it called 'arp poisioning', you can get a rough idea
of it by using 'ettercap'. You corrupt the ARP tables of the remote machines
to pass the traffic to you and then your machine forwards the ethernet
packets after it has finished with them. This _will_ be a custom job, I only
know of man-in-the-middle versions of this (a la ettercap) and nothing that
would scale/work for more than a single host.
The one thing you are forgetting (again pointed out in the other posting) is
that you will need a box for every 'x' number of hosts affectively....which
obviously can get out of hand.
I guess another approach would be to make a switch out of linux with a bank
of ethernet cards (one NIC port for each host, hmmm quad cards anyone?) and
plug everyone into that with the linux central box in 'ethernet bridge mode'.
> I want any new machines to be denied access to anything until they are
> authorised. I also want to stop all traffic between clients, unless
> through the linux box.
>
All I can do to suggest is you VPN *every* machine to the central host (which
is going to do the monitoring/firewalling) and dish out certificates to each
machine to 'authorise' them. Any non-VPN traffic on *every* host is then
Not what I would call a difficult thing to pull off, just simply stupid :)
In summary, its a stupid thing to try and pull off. You have not given us
reasons why you need to do this (do you not trust the client machines being
plugged in?) for us to suggest a better, more scaliable and sensible
approach.
Have fun
Alex
- Next message: Abdullah Ramazanoglu: "Re: Advanced Security Question"
- Previous message: Alexander Clouter: "Re: Don't know if SSH was ever designed to do this, but..."
- In reply to: Hammer: "Advanced Security Question"
- Next in thread: Hammer: "Re: Advanced Security Question"
- Reply: Hammer: "Re: Advanced Security Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
