If these are switches that can be managed via SNMP, you might be able to
push the configs out by using some form of SNMP manager software. However,
you may still have to resort to some scripting depending on the tool you're
using.
I can understand the firewall being used to help protect the customers, but why not implement the customer isolation via switch-based ACLs? If you create a private class B (192.168.0.0/16) network, you can divy up the subnet space for each customer. Then slap on an ACL that denies all traffic to 192.168.0.0/16, but allows traffic to DHCP/DNS servers and the internet. Then you could use the firewall to NAT the private class C to the public network.
I'll warn that even though I test software for network switches and routers, my main job is not deploying networks, so I may be speaking out of my ass. :P
ACL Binder
I can understand the firewall being used to help protect the customers, but why not implement the customer isolation via switch-based ACLs? If you create a private class B (192.168.0.0/16) network, you can divy up the subnet space for each customer. Then slap on an ACL that denies all traffic to 192.168.0.0/16, but allows traffic to DHCP/DNS servers and the internet. Then you could use the firewall to NAT the private class C to the public network.
I'll warn that even though I test software for network switches and routers, my main job is not deploying networks, so I may be speaking out of my ass. :P
ACL Binder
I trust a security device farther than a mere switch, no matter how smart
the switches are. All network management will be turned off, everything
set up via serial console only. Each vendor gets one network jack, each jack
gets its own vlan, each vlan gets a 192.168.x.0/24 and dhcp scope and is nat
out to the internet. Each vendor is mostly going to have one point of sale
terminal that uses its own crypto.
whatever encryption it uses.
If multiple stalls are one vendor, put them in the same vlan. otherwise, if someone needs more jacks, they can put their own crappy dlink in.
This way we can also plug the ATMs in to any jack, and there is also structured wifi going in on a completely different firewall interface for the public to use.
I will look into switch level ACL butI don't think we will need that.
whatever encryption it uses.
If multiple stalls are one vendor, put them in the same vlan. otherwise, if someone needs more jacks, they can put their own crappy dlink in.
This way we can also plug the ATMs in to any jack, and there is also structured wifi going in on a completely different firewall interface for the public to use.
I will look into switch level ACL butI don't think we will need that.
oh and my management tool of choice is ssh and minicom, plus simple bash or
ruby scripts to generate configs.
For years I have known that the NA in nazi stands for network administrator,
but it wasn't until last week when a friend of mine enlightened me as to what
the entire acronym stood for:
Network Administrator, Zero Internet.
Network Administrator, Zero Internet.
I R Not a Network Admin, but am apparently playing one on this (very last,
ever, I promised myself) side gig. I'd rather have my free time to go play
with my DSLR and do something more creative than protecting networks from
their users.
Network Administrator, Zero Internet.
Heh. By the way Ford, I've recently had a chance to see an HTTPS proxy, and it works exactly as we suspected it does -- they basically force you to accept a man-in-the-middle attack from your local NAZI.
Then they perform ordinary proxy services on it. That's why fun SSL tunneling games don't work.
Good to know, I just didn't get it, and it just killed me that something
that unexplainable was going on.
Thaks for the explanation.
fuckin nazis.
Thaks for the explanation.
fuckin nazis.
you could always try tunneling a vpn over dns... not sure what thruput is
possible tho.
Is anyone currently messing around with or using IPv6 in a production environment?
If so, what client OS(s) are you using? There seem to be a lot of Dreally
bad, unpatched, easy to run IPv6 based DoS attacks for Windows and Linux out
there right now. :-/
I've been hard at work IPv6-enabling our data center. So far, the only "security
holes" I've seen were incompetent administrators who forget to do simple things
like putting up firewalls.
If you have Router Discovery turned on, you're still vunerable to this one:
http://samsclass.info/ipv6/proj/flood-router6a.htm
http://samsclass.info/ipv6/proj/flood-router6a.htm
So ... Windows is inexcusably insecure out of the box. What else is new?
Not much, but that's a pretty severe wide open problem.
Here's another less nasty one that also affects Linux http://samsclass.info/ipv6/proj/proj-124-13x-sendpees6.html:
Well, yes, it is possible to operate a rogue IPv6 router and fool the local machines into using you as their default gateway, but it's just as possible to operate a rogue DHCP server on an IPv4 network. It's an issue but it isn't a new issue, nor is it a show-stopping one.
With my admittedly limited understanding of networking though, it seems like
the RSA signed packet DoS is specific to IPv6 and it prevents router spoofing
but opens a different can of worms. I've experienced many times rouge DHCP
servers on IPv4 networks, mostly accidental though.
FWIW the guy whose website I'm linking to, Sam Bowne, gave this talk at Defcon which I found on youtube and found very informative regarding IPv6, having known little to nothing about it before : http://www.youtube.com/watch?v=zIUgH2wVt_0
So much to learn though.
FWIW the guy whose website I'm linking to, Sam Bowne, gave this talk at Defcon which I found on youtube and found very informative regarding IPv6, having known little to nothing about it before : http://www.youtube.com/watch?v=zIUgH2wVt_0
So much to learn though.
I think the biggest change is getting out of the NAT mindset. IPv6 restores
the original end-to-end nature of the Internet.
Allowing hosts to perform router discovery and generate their own IPv6 addresses, reminds me of the old days of Netware IPX/SPX. Hopefully it will become common for hosts to automatically register themselves with nameservers, and we will have come full circle.
I use static IPv6 addresses for routers, and for DNS servers. Everything else uses the address automatically assigned using router discovery plus the MAC address. At the moment, my workflow is to log in using IPv4 and then copy-and-paste the IPv6 address into the DNS server. This seems suboptimal and I would like to see the process automated.
Allowing hosts to perform router discovery and generate their own IPv6 addresses, reminds me of the old days of Netware IPX/SPX. Hopefully it will become common for hosts to automatically register themselves with nameservers, and we will have come full circle.
I use static IPv6 addresses for routers, and for DNS servers. Everything else uses the address automatically assigned using router discovery plus the MAC address. At the moment, my workflow is to log in using IPv4 and then copy-and-paste the IPv6 address into the DNS server. This seems suboptimal and I would like to see the process automated.