Re: Advanced Security Question
From: Abdullah Ramazanoglu (abdullah_at_ramazanoglu.tr)
Date: 08/13/04
- Next message: Bill Marcum: "Re: Port 785 = Network Terrorist?"
- Previous message: Alexander Clouter: "Re: Advanced Security Question"
- In reply to: Hammer: "Advanced Security Question"
- Next in thread: Abdullah Ramazanoglu: "Re: Advanced Security Question"
- Reply: Abdullah Ramazanoglu: "Re: Advanced Security Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 13 Aug 2004 23:16:08 +0300
Hammer dedi ki:
> Please forgive me if this is either a stupid question or will only be
> available sometime in the late 24th century. Here goes...
>
> Does anyone know how I would set a switched network to direct ALL
> traffic through a linux box for authorisation, authentication, IDS and
> logging. I could use RADIUS, but I've heard there are some flaws with
> it.
>
> Basically this box is going to check every packet on the network, log
> it, check for "unwanted" activity and/or authorise it. It's going to
> be acting in a super cop role, between clients, secure servers,
> unsecure servers and Internet connection via firewall. Yes - it's a
> firewall and DMZ, but to a greater extent.
>
> I want any new machines to be denied access to anything until they are
> authorised. I also want to stop all traffic between clients, unless
> through the linux box.
As an addition to Alexander's arp solution, it might also be possible to
setup clients so that they won't respond to arp queries. Then you could
manually build the arp table, in init-scripts, of the "cop" server
inserting all clients in it. And additionally you setup the server to
proxy-arp all clients. The result is, all arp queries would be replied
(proxied) by server, pointing to its own mac address, then incoming
traffic would be processed through by iptables (with your "cop" programs
in the chain), and then would be forwarded to the real destination client.
The trick is, how to implement an arp table (on server) so that it will
advertise its own mac address e.g. for an arp query of client
192.168.100.100 and then use the real mac address of that client when it
comes to forward the processed packet: In the former case your server's
arp table should be associating 192.168.100.100 (destination client) with
its own mac address, but in the latter case the same arp table should be
associating 192.168.100.100 with the destination client's real mac
address. Unless you can find a solution to this, I guess this suggestion
of mine is no more than a fantasy.
There might be another way not mentionaed so far: Setup your DHCP server
so that all the clients are given a different subnet each, while the "cop"
routing server is on an umbrella network that comprises of all those
subnets. Then, no client will be on the same subnet with each other, but
all of them will be on the same network with the routing server. So they
cannot talk to each other directly, but only through routing by the server.
Example:
Routing server : 10.1.x.1/8 (N aliased host addresses for N clients) or,
10.1.x.1/24 (N aliased net addresses for N clients)
Clients: 10.1.x.100/24 (different x for each client)
Could be it possible to devise a solution that doesn't need a lot of
aliases on the routing server? Maybe, I don't know.
-- Abdullah | aramazan@ | Ramazanoglu | myrealbox | ________________| D-O-T cöm |
- Next message: Bill Marcum: "Re: Port 785 = Network Terrorist?"
- Previous message: Alexander Clouter: "Re: Advanced Security Question"
- In reply to: Hammer: "Advanced Security Question"
- Next in thread: Abdullah Ramazanoglu: "Re: Advanced Security Question"
- Reply: Abdullah Ramazanoglu: "Re: Advanced Security Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
