Help on configuration
Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Help on configuration

  1. #1
    Member
    Join Date
    Sep 2001
    Posts
    31

    Help on configuration

    y have to check the indoor security in my system....i rebuild all the firewall rules to use the ip vs mac addresses...configured the proxy to be transparent...and cancelled al the prerouting tables in the gateway.....theres any onethr way some one from inside can use ip tuneling...or anocther technice to gaterin accese to the inner network?

    i need that nooen can use proxies diferent that mine....and all the traffic will be checked trougth the firewall....

    is this enogth?
    we work in the dark - we give what we have - we do what what we can - our doubt`s our passion - our passion our task - the rest....- is the madness of art.

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    What if someone puts a trojan on a website that you access and it's downloaded to your system via techniques used by spyware?

    Do you trust all your friends that visit your place and use your computer?

    Are you sure that email you receive, in HTML format, isn't doing something it shouldn't?

    The above are all questions that can bypass the firewall because they are allowed via other methods (ie., browser going out and receiving traffic, allowing email with HTML and other web-enhancements, being too trusting of friends).

    Just putting up a firewall is not enough. Today's security MUST be layered and have multiple components to it such as (but not limited to) antivirus, spyware detection, IDS (Intrusion detection) and host hardening.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Member
    Join Date
    Sep 2001
    Posts
    31
    about the downloading process is totalli secure..because you can even download zip files....all the inner trafic is masked with the addres of the gateway...even if you check the ip of a inner machine with www.wathsmyip.com it show nothing but garbage....so if you try to connect to an intranet addres you have to pass trougth the gateway...and the gateway is behind a firewall....and betwen the gateway and the intranet is also another one.....
    we work in the dark - we give what we have - we do what what we can - our doubt`s our passion - our passion our task - the rest....- is the madness of art.

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    But what checks the zip file to ensure that the file itself is secure and trustworthy?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    Member
    Join Date
    Sep 2001
    Posts
    31
    jejej sorry i meant that you can't download even a zip file.....all pages are filetered using norton in a nt server before the people in to the intranet can see them
    we work in the dark - we give what we have - we do what what we can - our doubt`s our passion - our passion our task - the rest....- is the madness of art.

  6. #6
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Ah... this is a work setup correct? You are aware that 70% of all attacks against companies are from the Internet. The question is what are you doing to defend against the other 30% (which are from internal sources like employees and such)?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  7. #7
    Member
    Join Date
    Sep 2001
    Posts
    31
    thats rigth.....to be more specifical this is my config.....

    i use a dhcp server...
    in the iptables..i have accese permisions using ip vs mac..this to avoid inpersonalitation
    th ip tables are on the firewall wich acts as the gateway....
    the proxy (squid) is configured to deny any download
    the msn passes trougth the proxyand all teh trafic for it..( and other messengers) is monotored a recorded...only the file trasfering....
    the files trasfered trougth this services is checked with antivirus software....and if i want i can manually cancell any trasnmition....

    the firewalls are totally pakced...they only have ssh opened....
    what i'm missing?
    we work in the dark - we give what we have - we do what what we can - our doubt`s our passion - our passion our task - the rest....- is the madness of art.

  8. #8
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Well, depending on your company's policies, filtering based on certain word types (e.g., to detect child porn surfing etc.), ensuring that HTML is disabled on users' email clients, local security for each machine and an IDS to detect attacks. Also, keep in mind just because SSH is open doesn't mean that they can't use SSH tunnelling to by-pass your AV and other filters.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  9. #9
    Member
    Join Date
    Sep 2001
    Posts
    31
    thans...and one more thing....the trusted cleint for the firewall is mi ip vs my addres....a have permision for all pages...and doeload everithing.....there any way that anyone could impersonate me?...( they CAN?T have acces to mi laptop....jejej they'll have to kill me first)...
    i have experimiented changing mac addresses but only trougth hardware..there any way they can do it trougth software?
    we work in the dark - we give what we have - we do what what we can - our doubt`s our passion - our passion our task - the rest....- is the madness of art.

  10. #10
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    A hijacking tool like Ettercap would be effective. Might want to investigate into things like Man-in-the-middle attacks and/or hijacking.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •