Re: Advanced Security Question

From: Dale Dellutri (ddelQQQlutr_at_panQQQix.com)
Date: 08/13/04 

Date: Fri, 13 Aug 2004 21:26:54 +0000 (UTC)

On 11 Aug 2004 18:20:52 -0700, Hammer <hammeraus001@yahoo.com> wrote:
> Please forgive me if this is either a stupid question or will only be
> available sometime in the late 24th century. Here goes...

> Does anyone know how I would set a switched network to direct ALL
> traffic through a linux box for authorisation, authentication, IDS and
> logging. I could use RADIUS, but I've heard there are some flaws with
> it.

> Basically this box is going to check every packet on the network, log
> it, check for "unwanted" activity and/or authorise it. It's going to
> be acting in a super cop role, between clients, secure servers,
> unsecure servers and Internet connection via firewall. Yes - it's a
> firewall and DMZ, but to a greater extent.

> I want any new machines to be denied access to anything until they are
> authorised. I also want to stop all traffic between clients, unless
> through the linux box.

> Would IP tables on clients, servers and linux authentication box be
> able to do this? Client Ip tables only allow traffic to
> authentication server. Server Ip tables only allow traffic between
> authorised servers and authentication server. Authentication server
> only allow authorised traffic between itself and client/servers
> (server traffic dependant upon server role). This sounds logical, but
> could it be done?

One way to do this: get rid of the network switch and use a linux
system as the switch. It would have to have as many ethernet ports as
the original switch, and you'd need a specialized iptables and other
software, but it could be done.

Alternatively, get a network switch that allows all of what you need.
Perhaps some high-end Cisco or HP Procurve switch? Or perhaps a
WatchGuard or other firewall/vpn/security switch?

I think you'll find it difficult to control the entire network's
traffic unless you do it at the switch. 

-- 
Dale Dellutri <ddelQQQlutr@panQQQix.com> (lose the Q's)

Relevant Pages

  • Re: Openssl and Telnet
    ... authentication is not needed) but what If I do need authentication? ... specific character like and send some string to the system. ... // Read the message sent by the server. ... When I create a socket connection on port 22, the switch responds with some ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Radius Authentication using Window XP SP3
    ... authenticate to the Radius and Domain Server. ... i turn off force authentication that user can still log into window ... Have you deployed a server certificate to the IAS server from a CA ... This sounds like a switch configuration issue. ...
    (microsoft.public.internet.radius)
  • RE: Switch Access Authentication
    ... You can use Microsoft RAIUS server IAS (it is free Windows server ... Information Security Officer ... Subject: Switch Access Authentication ...
    (Security-Basics)
  • Re: Will pay money or server resources for a Gurus time
    ... >clients to view a live stream. ... >I can watch the stream local on the server but not outside the server. ... Be aware you need to have an authorisation *and* authentication plugin ...
    (microsoft.public.windowsmedia.server)
  • Anyone used 802.1x for wired clients?
    ... Has anyone here got 802.1x working successfully for wired clients connected ... to an Extreme switch using windows 2000 server and IAS to do the RADIUS ... authentication succeeds and the switch puts that port into the correct VLAN. ...
    (microsoft.public.security)