[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] HTTP AUTH BASIC monowall.
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] HTTP AUTH BASIC monowall.
- From: Nick FitzGerald <nick@xxxxxxxxxxxxxxxxxxx>
- Date: Fri, 17 Mar 2006 09:33:59 +1300
Simon Smith wrote:
> My concern isn't firewall management. My concern isn't with SSL
> going over the Internet. My concern is more with SSL on a LAN and that
> this IT tool and other similar tools can be compromised easily once a
> LAN is penetrated. Providing an extra layer of security within the SSL
> tunnel would help to prevent this tool and others like it from being
> compromised so easily. My first thought was on how to harden the
> authentication because the basic auth didn't cut it for me. Thats what I
> am looking for ideas for.
So, buy decent switches -- you know, properly configurable, managed
ones -- and implement strict access control policies for _ALL_
equipment connected to the LAN. Machine0001 with MAC ###### must
connect to port 123 in room 101 of Building 3, etc, etc. Disable _ALL_
unused ports. Prevent all unknown devices from accessing the LAN at
all. Set serious alarms on all unknown device appearances,
"unexpected" device disconnections, etc.
It's still not perfect, but _nothing is_ remember...
However, it will also (partly) fix a whole bunch of other problems for
you as well.
Regards,
Nick FitzGerald
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/