Simon Smith wrote: > My concern isn't firewall management. My concern isn't with SSL > going over the Internet. My concern is more with SSL on a LAN and that > this IT tool and other similar tools can be compromised easily once a > LAN is penetrated. Providing an extra layer of security within the SSL > tunnel would help to prevent this tool and others like it from being > compromised so easily. My first thought was on how to harden the > authentication because the basic auth didn't cut it for me. Thats what I > am looking for ideas for.
So, buy decent switches -- you know, properly configurable, managed ones -- and implement strict access control policies for _ALL_ equipment connected to the LAN. Machine0001 with MAC ###### must connect to port 123 in room 101 of Building 3, etc, etc. Disable _ALL_ unused ports. Prevent all unknown devices from accessing the LAN at all. Set serious alarms on all unknown device appearances, "unexpected" device disconnections, etc. It's still not perfect, but _nothing is_ remember... However, it will also (partly) fix a whole bunch of other problems for you as well. Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
