Hi Mike
I understand the concern, but when I advice people [clients] on this issue, I tell them things like this:
First of all:
Always compare the trouble it is to spoof the network in comparison to what it takes to physically walk in and get the data!
If the people wanna get some sensitive data from you, it sounds like they don't even want to start spoof anything!
When you say student environment, do you mean "They just wanna hack away..." ?? If so, I would suggest to set up a lap, and teach in it instead! And here I don't mean 'teach in doing crimes' but do teaching in technology, associated with the right attitude on how to use their knowledge!
Second:
1: Know your machines. Know your environment.
2: If your environment is equal to MS/Windows, there are a lot of weak souls around wanna bash the system, basically because they don't like M$. Sounds like you've dealt with that area...
One solution to this, is to use the OS the task needs. Running InterMapper does not need WinTel, though we now have the option!
I would suggest setting up the IM machines on Mac OS [9 | X], since 99.9% of all 'hackers' peal off on that.
3: Just secure your system. If you don't need a service, don't run it! IM don't need Apache/Sendmail etc, so don't run it.
I've been doing IT with Mac OS for 10+ years now, and have yet to actually see one hacker attempt on our system. Admitted, I have not been running government systems, but I have been running systems for large corporate sites.
4: Open up, but watch it. From a security point of view, there are two ways of doing things:
a: Lock everything up ala Fort Knocks and forget about it, or
b: Don't lock it up that much, watch your logs/events/systems and learn about possible intruders.
Doing B would give you the advantage of two things: 1) Being able to run the tools you like, in a restricted way and 2) learn about when/who might walk into your complex and just grab the data.
Keep it up, hope it helps.. ;-)
On fredag, mar 7, 2003, at 23:57 Europe/Copenhagen, Mike Dustan wrote:
Hi All:
Thanks,Jakob, for the suggestion. Yes, it's a fortress and we
like/need it that way (sensitive data, high bandwidth site, student
environment - you get the idea). We thought of the strategy you
describe but it means opening an inbound port through the tiers so
tier 3 IM can receive the map status from tiers 1 and 2. Inbound
ports are verboten. Inside traffic can get out through outbound ports.
Opening the connection from the inside is fine, except that the data
coming in in response can be spoofed or corrupted. In the IM scenario
this is definitely paranoia running wild (fake IM maps?), but the
design and policy is intended to block ALL unauthorised traffic
(student records, payroll info etc.).
Subject: Re: Monitoring multi-tiered network?
From: "Jakob Peterh�nsel" <[EMAIL PROTECTED]>
Date: Thu, 6 Mar 2003 22:22:56 +0100
Hi Mike.
Sounds like one hell of a fortress to me, and I think you're locking
yourself down more than needed.
What is it that keeps you from allowing traffic from the inside to get
through? I can't see the security issue in that one!
As long as the connection is opened from the inside (pier 2 or 3), I
can't see the problems.
I would set it up this way:
Pier 1: IM Daemon/Server, monitoring local pier, allows Remote
connection from known IP[range].
Pier 2: Just like pier 1
Pier 3: Serves local map of pier 3, and one 'global' map with status
for the two others [Probe: Map Status].
Remote can also show Pier 1 & 2 maps, if needed.
Hope it helps.
...
Jakob Peterh�nsel
Cheers!
--
--
Mike Dustan, Computing Operations & Tech. Support,
Simon Fraser University, Burnaby, BC Canada.
Web: http://www.sfu.ca/ots/
I'm never wrong. I thought I was wrong once, but I was wrong.
____________________________________________________________________
List archives: http://www.mail-archive.com/intermapper-talk%40list.dartware.com/
To unsubscribe: send email to: [EMAIL PROTECTED]
Jakob Peterh�nsel
'I don't have to try to be a sex bomb, I am one!'
- Kylie Minogue
Email: [EMAIL PROTECTED]
AIM: Marook
Phone: +45 40163806
