| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <441A8287.28071.6E1C6EFB@nick.virus-l.demon.co.uk> Date: Thu Mar 16 20:53:22 2006 From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: HTTP AUTH BASIC monowall. Simon Smith wrote: > My concern isn't firewall management. My concern isn't with SSL > going over the Internet. My concern is more with SSL on a LAN and that > this IT tool and other similar tools can be compromised easily once a > LAN is penetrated. Providing an extra layer of security within the SSL > tunnel would help to prevent this tool and others like it from being > compromised so easily. My first thought was on how to harden the > authentication because the basic auth didn't cut it for me. Thats what I > am looking for ideas for. So, buy decent switches -- you know, properly configurable, managed ones -- and implement strict access control policies for _ALL_ equipment connected to the LAN. Machine0001 with MAC ###### must connect to port 123 in room 101 of Building 3, etc, etc. Disable _ALL_ unused ports. Prevent all unknown devices from accessing the LAN at all. Set serious alarms on all unknown device appearances, "unexpected" device disconnections, etc. It's still not perfect, but _nothing is_ remember... However, it will also (partly) fix a whole bunch of other problems for you as well. Regards, Nick FitzGerald
Powered by blists - more mailing lists