Re: Changing iptables on the fly
- From: ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin)
- Date: Wed, 25 Oct 2006 14:50:51 -0500
On Mon, 23 Oct 2006, in the Usenet newsgroup comp.security.firewalls, in article
<jandoemen.2g78oh@xxxxxxxxxxxxxxxxxxxxxxx>, jandoemen wrote:
I didn't know there existed something like portknocking but I guess
it's the same idea except a few things I didn't found in other
solutions.
The concept has been around since the 1980s.
Simple portknocking is not so very secure because of the same sequence
every time. Dynamic knocking is better but more complex.
and complexity is what trips people all the time. Do not make things
so complex that _your_ procedure is the major cause of problems.
Also remember that port knocking is not a means of authentication, but
a mechanism to reduce the hammering on your server by J. Random
Skript_Kiddiez and the "mal-ware de heure". If someone manages to sniff
the wire and discover the knock - they still have to come up with the
username and authentication token, and that is where your security lies.
When I first set up portknocking on my home system, I initially had it to
change port numbers daily... then weekly... and now I don't even bother,
because the logs show no one has even attempted the knock (though there
are hundreds of port-scans every day - a feature of wide-band access),
never mind getting access to the SSH login to even _try_ a username.
The main reason I'm looking for a web solution is:
- It works on port 80 so even when the company firewall is very secure
.. if you can surf the Internet => it works.
Depends - like most larger companies, we use proxy servers and block
direct access to the world. Remember that the company network is for
company use - not the individual. We have several systems located in
employee break areas that are separate from the company network so that
we can check personal mail, and so on - it's actually how I'm posting
this. But these systems have no removable media drives, and the users
do not have administrative/root privileges and so can't install _ANY_
software. Users have access to three web browsers, three news readers,
four mail tools, and a telnet and SSH client. All of these applications
are configured to not remember passwords, cookies, or any other individual
configurations. /home/guest is a tiny but separate partition, and the
logout script removes all user owned files from that partition.
- I prefer dynamic tokens above static port numbers.
Don't get it to complicated.
- A small client can be written very easy in every language
Why is one needed? Again, the company systems here rarely have removable
media (it's not needed to do the job), and our users don't have admin/root
privileges on the company systems. Can you demonstrate why such privileges
are needed to do your job?
Old guy
.
- Follow-Ups:
- Re: Changing iptables on the fly
- From: jandoemen
- Re: Changing iptables on the fly
- References:
- Changing iptables on the fly
- From: jandoemen
- Re: Changing iptables on the fly
- From: Moe Trin
- Re: Changing iptables on the fly
- From: jandoemen
- Changing iptables on the fly
- Prev by Date: Re: Fortinet/FortiGate - experience and observations?
- Next by Date: Re: netfilter iptables and firewall
- Previous by thread: Re: Changing iptables on the fly
- Next by thread: Re: Changing iptables on the fly
- Index(es):
Relevant Pages
|
