Re: Advanced Security Question
From: Hammer (hammeraus001_at_yahoo.com)
Date: 08/16/04
- Next message: Hammer: "Re: linux distribution to use?"
- Previous message: Bill Marcum: "Re: Crackers & the law"
- In reply to: Alexander Clouter: "Re: Advanced Security Question"
- Next in thread: Abdullah Ramazanoglu: "Re: Advanced Security Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 15 Aug 2004 17:41:41 -0700
Alexander,
We are a hospital in the process of planning an upgrade of the
network. The upgrade will probably include thin clients (getting
linux image by TFTP) and wireless.
So basically, what we want to do is reduce the risk (as far as
possible) of any unauthorised interaction between any clients/servers.
We want to control all of the traffic on the network to the point and
only allow certain traffic from source to destination.
I know it sounds bizarre, but in terms of security & healthcare, you
can't go too far.
Thanks to everyone who has posted responses, I'll look further into
them.
Hammer
Alexander Clouter <alex@digriz.junk-this.org.uk> wrote in message news:<411d068d$1_2@127.0.0.1>...
> On 2004-08-12, Hammer <hammeraus001@yahoo.com> wrote:
> > Please forgive me if this is either a stupid question or will only be
> > available sometime in the late 24th century. Here goes...
> >
> well we all go through this phase....today is your turn :P
>
> > Does anyone know how I would set a switched network to direct ALL
> > traffic through a linux box for authorisation, authentication, IDS and
> > logging. I could use RADIUS, but I've heard there are some flaws with
> > it.
> >
> > Basically this box is going to check every packet on the network, log
> > it, check for "unwanted" activity and/or authorise it. It's going to
> > be acting in a super cop role, between clients, secure servers,
> > unsecure servers and Internet connection via firewall. Yes - it's a
> > firewall and DMZ, but to a greater extent.
> >
> Its already been mentioned that what you are after is _routing_ and not doing
> things by just plugging things into a switch and hoping it all goes through
> that.
>
> In practice you have two options in a _switched_ environment, one takes a
> passive role whilst the other takes the active one:
>
> passive:
> --------
> if you have a fancy switch it probably will have something called a 'mirror'
> port which more or less shunts all the traffic from the other ports in a hub
> fashion down it, this would enable you to run snort and do monitoring of the
> network however you would be unable to do anything 'active'
>
> active:
> -------
> tricky to pull off but it called 'arp poisioning', you can get a rough idea
> of it by using 'ettercap'. You corrupt the ARP tables of the remote machines
> to pass the traffic to you and then your machine forwards the ethernet
> packets after it has finished with them. This _will_ be a custom job, I only
> know of man-in-the-middle versions of this (a la ettercap) and nothing that
> would scale/work for more than a single host.
>
> The one thing you are forgetting (again pointed out in the other posting) is
> that you will need a box for every 'x' number of hosts affectively....which
> obviously can get out of hand.
>
> I guess another approach would be to make a switch out of linux with a bank
> of ethernet cards (one NIC port for each host, hmmm quad cards anyone?) and
> plug everyone into that with the linux central box in 'ethernet bridge mode'.
>
> > I want any new machines to be denied access to anything until they are
> > authorised. I also want to stop all traffic between clients, unless
> > through the linux box.
> >
> All I can do to suggest is you VPN *every* machine to the central host (which
> is going to do the monitoring/firewalling) and dish out certificates to each
> machine to 'authorise' them. Any non-VPN traffic on *every* host is then
>
> Not what I would call a difficult thing to pull off, just simply stupid :)
>
> In summary, its a stupid thing to try and pull off. You have not given us
> reasons why you need to do this (do you not trust the client machines being
> plugged in?) for us to suggest a better, more scaliable and sensible
> approach.
>
> Have fun
>
> Alex
- Next message: Hammer: "Re: linux distribution to use?"
- Previous message: Bill Marcum: "Re: Crackers & the law"
- In reply to: Alexander Clouter: "Re: Advanced Security Question"
- Next in thread: Abdullah Ramazanoglu: "Re: Advanced Security Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
