Re: Port 135 Probes Continue

From: Nico Kadel-Garcia (nkadel_at_comcast.net)
Date: 01/17/04

  • Next message: Richard E. Silverman: "Re: Question on SSH configuration in a cluster environment." 
    Date: Sat, 17 Jan 2004 13:26:20 -0500

    "Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca> wrote in message
    news:btv0tf$rh5$1@canopus.cc.umanitoba.ca...
    > In article <84-dnYjbk6sWTZzdRVn-tw@comcast.com>,
    > Nico Kadel-Garcia <nkadel@comcast.net> wrote:
    >
    > |"Walter Roberson" <roberson@ibd.nrc-cnrc.gc.ca> wrote in message
    > |news:bsqo5i$88u$1@canopus.cc.umanitoba.ca...
    >
    > |> You assume, Leythos, that the IT staff have the budget and authority
    > |> to purchase appropriate VPN equipment and deploy it.
    >
    > |Authority, yes. Budget? The only budget item is manpower for the project.
    > |Take a careful look at FreeSwan if you prefer IPsec, or at www.poptop.org
    > |for the UNIX/Linux based PPTP server that handles Microsoft's built-in
    VPN
    > |clients without pain. They can be hosted on quite a low end little
    machine,
    > |including a discarded old laptop, and even run from CD instead of from
    disk
    > |for security reasons.
    >
    > Is "a discarded old laptop" going to be sufficient to handle
    > a few thousand users simultaneously, with total bandwidth in the hundreds
    > of megabits per second at the server end?
    >
    > If I recall correctly, our main campus has multiple OC3, some of
    > which are saturated; our regional links are gigabit. Enterprise
    > level service costs real money.

    Ahh. Then the underlying premise changes. Supporting thousands of
    simultaneous users *requires* a significant budget, and maintaining the
    network in the face of port 135/137/138/etc. attacks is a very, very real,
    and quite large cost. There, the benefits of forcing a VPN usage rather than
    exposing your entire network to every cracker in the world via SMB and RPC
    is blatantly obvious and even more strongly supports the need for blocking
    the traffic at the outer routers and firewalls and setting up VPN's for
    permitted users.

    Doing it through a set of Micro$oft based, corporate grade commercial
    servers is a huge budget issue. Supporting several hundred simultaneous
    users via a reasonable PoPToP installation on your two-year-old hardware,
    however, is a no-brainer if you acknowledge that they can do the job in a
    fashion comparable to, and much cheaper in hardware, than maintaining a
    stack of proprietary machines. And the knowledge and manpower required to
    run PoPToP or another Linux-based VPN is spread back into the overall
    handling of passwords, user authentication, and other security issues that
    you need to deal with on that scale.

  • Next message: Richard E. Silverman: "Re: Question on SSH configuration in a cluster environment."