| |
| |
| |
|
Page: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
Comments:
<0> fredk, Jostein_ : get some sleep
<1> night K_F
<2> except if it goes through to the internet it will p*** through a couple of other gateways to actually reach the internet
<2> yea ;)
<2> night
<3> K_F: no way
<0> Jostein_: you go to bed Mister!
<2> now, say $box on a vlan is abused, who's to stop that box from trying to hack into other boxes that are behind the firewall?
<1> "LOL, yes daddy"
<3> K_F: I have whisky, wine and I hav spent a lot of money in the plaza skybar
<1> fredk: should be limited to the single network itself
<2> what do you mean?
<1> fredk: unless the attacked KNOWS those networks are VLAN'ed, finding the other boxes will be tricky
<3> K_F: no way Im quiting now :P
<1> s/ked/ker/
<2> Tamahome, you just google for other ips being used within say the same /20
<0> Jostein_: hehe, well I'm off anyways
<2> or /21 whatever ;)
<1> fredk: again, they'd have to know.
<3> K_F: later
<2> doesnt take a genious to try and ping other ips on the neighbor subnets
<2> or try and reach them in other ways
<1> fredk: you're calling them "neighbour subnets"... I had ***umed (incorrectly) that none of these subnets needed to be even remotely aware of each other
<1> if they *do*, then yes you're going to want internal firewalling
<2> Yea
<2> if you were to configure so that none of my subnets can reach eachother, that might lead to other issues
<2> and seems like a bad hack
<1> anyways I'm going to respectfully bow out of this conversation.
<2> hehe
<2> im not even sure how to solve it in a decent manner
<1> networking gives me a headache at this hour of the night
<2> ;)
<2> discussing networking while semi drunk may not be the best idea anyway hehe
<1> guilty as charged
<1> I just got back from a party
<2> ditto ;)
<2> well, a few hours ago now
<4> well you could try to sniff all traffic and make a map of what IP's you do see
<2> you wouldnt see any other ips as such, since you're the only one on the subnet
<2> but, theres nothign stopping you from trying to reach neigbor subnets :)
<1> I just wanna go play some more Oblivion
<2> Tamahome, I hear it's good
<1> I <3 it
<2> hehe
<4> maybe. a lot of ISP's however give out a /24 subnet. you should not see others IP traffice but you might see some
<1> and Penny Arcade can't appreciate it, so what
<2> XyZzY, sure I subdivide to prevent dedicated boxes from seeing eachother
<2> atleast not broadcast traffic and such
<4> I just cut off all non-internal IP's at my border router/DSL etc.
<2> mmm, there's problems with that though, what if they need to reach eachother?
<1> then really, they should be on the same LAN
<4> still I wish I had a way to cut off IP's at my ISP's router before it ever gets to me and wastes my b/w
<5> well, they can either bounce everything off the default gateway or they can know about the other subnets
<2> there's two router levels here anyway, one is the local "switch/router" the other is the internet facing router
<4> well I look at it this way. the only IP traffic that should come to me is stuff addressed to me
<2> sure
<2> but say you have 10 servers on your subnet
<4> deny all, allow ip1, ip2, ip3 etc
<2> one of these are compromised, shouldnt you be firewalling between them to further increase security?
<2> even though they're on a local network
<4> well you could. have each server have a internal FW rules as well for know services you use
<4> and by internal I mean internal to each machine
<2> yeah as in iptables
<4> or you could have a seperate lan for data connections between servers
<2> how does that help? if $box is compromised that box is ON that lan and can reach the other boxes
<4> so only one server would be seen at all by the internet, but that server would have access to other servers on the seperate network
<2> I dont see how that helps much though, if you have access to one box you have access to them all
<4> eg you have to compromise one box first before you could even touch the others
<2> sure, but we're working on the ***umption that one box within the network is compromised here
<2> i'd say, if you want a network to be as secure as can be there should be firewalling between every single connection point
<4> I remember reading a little article long time ago about stealth servers. had to do with the Coucou's egg. you could send data to a bogus IP and if that data was correct it would send data back to your real IP. eg you never touched the sevrer directly
<2> like a proxy server?
<1> sounds neat
<4> fredk: not quite. say server1 would send a UDP packet to a bogus IP. then server2 would sniff the line for those packets. then if it thought it was valied then it would send another UDP packet back. server2 would never have a real IP at all
<4> that way server2 would be entirely invisible
<1> so then there's no actual physical server that can be breached
<2> obviously, a way to help solve this is to make sure that every routing point is on a system that has decent firewall capabilities
<2> sure
<4> I've seen this mostly: DSL -> firewall -> DMV servers -> firewall -> backend servers
<2> mmm
<4> Tamahome: yup. IIrc Snort can do that directly
<6> m00
<4> one howto I saw showed hot to do that for syslog messages. eg one 'stealth' server would not show in any direct ping search etc. and all the servers would send syslog data to a bogus IP the stealthed server would sniff the lan and then grab the packets and log them
<4> HA! dodgem parry, thrust, dodge, swerve...
<6> Ho, Ha, Ha, Guard, Turn, Parry, Dodge, Spin, Ha, Thrust!
<4> yeah that too! *BOING*
<6> hehehe
<4> sup?
<6> not much...
<4> sw33t! my PS2 HD Xtreme - USA Version - just shipped
<7> XyZzY: Damn that sounds sneaky
<4> Pizbit: yeah, but when you get paranoid the paranoid get sneakier
<4> dogbert2: seen that little tool for ps2?
<4> Pizbit: I've seen it sometimes used to catch hackers in the act
<6> yeah...
<4> I've been trying to find the Cuckoo's Egg by Clifford Stall as a ebook for some time. great book about that sneaky ****
<4> Pizbit: undienet hates you
<4> Oooooo http://www.kleinbottle.com/
<3> Pizbit: thats nothing. my irc-server ahtes me
<2> haha, I managed 1337 feet
<7> Jostein_: That's always a bad sign, your own irc server hating you.
<2> http://www.kittycannon.net/
<4> Ach! b33r bubbles!
<3> XyZzY: you bastard. Im doing -wine-:P
<3> fredk: if whitecap has boobs, Id like to see yours
<6> next you guys will wanna check out manginas
<8> sombody say boobs?
<4> Ka-bar: man-boobs
<6> m33p
<8> at the peak of my swimming career, I was 6'3" and 170 lbs.
<4> wtf? C J Cherryl asl had a book called The Cuckoo's Egg?
<6> hmmmm, bukkake on a license plate
<2> Ka-bar, now you're 5'5 and 400 lbs?
<6> heh...put 7177135 on a license plate
<6> or 8008135 :)
<9> that doesnt look much like english
<10> "Treasonous my better friend already me this breaking the balls, ke I do? I do not want to send it to the excrement and I cannot erase EXCREMENT! :S:S"
<10> translated by babelfish
<11> Traidora: english only in here. try #linuxlatino or #linuxro or whatever
<10> i had to correct his 'kiero'
<12> cr0nfield: hahaha
<13> okz
<13> ;)
Return to
#linux
or
Go to some related
logs:
Ladygrace wow
#php
VODEOCHAT BULGARIA
lisbjana
#java
tara liem
#linux
#linux
#linux
rejected krymynalu
|
|