Win (98 at least) netstat doesn't understand the -l switch. With
the -a switch it will list all connections but it still doesn't tell
you -what- (program) is on the port.
--L. Benjamin Williams mailto:WmsEnterprises "at" crosswinds.net
On Monday, October 02, 2000 at about 10:22:09 PM, you wrote:
>> -----Original Message-----
>> From: Truman Boyes [mailto:[EMAIL PROTECTED]]
>> Sent: Tuesday, 3 October 2000 11:20 AM
>> To: [EMAIL PROTECTED]
>> Subject: RE: User level packet filtering
>>
>>
>> On Tue, 3 Oct 2000, Ben Nagy wrote:
>>
>> > (As for development - How about an egress IPSec gateway
>> that applies a VLAN
>> > 'colour' to user packets for matching by devices further
>> out? How about a
>> > multi-NIC box that selects an exit NIC based on user class?
>> What if we use
>> > per-user NAT (for a cheap, nasty solution) to make it easy
>> for traditional
>> > firewalls to filter by IP address?)
>>
BN> [this level: truman]
>> sure it can be cheap nasty solutions, but very feasible. it
>> would not take
>> too much to make a multi-NIC box first do authentication based on
>> Kerberos, then depending if your password is valid, your IP address is
>> then NAT'd to the src of an external nic. and if your session
>> times out,
>> your translation is removed from the table.
BN> Yeah, I only call this "cheap and nasty" because using NAT often creates
BN> some problems, so I'm a bit loath to use it to solve problems other than the
BN> one it was meant for. Mind you, Cisco decided to base a whole firewall on
BN> it, so what do I know. ;)
>>
>> i think i remember reading of a university that employed a
>> BSD solution
>> doing NAT, and authenticating ethernet ports with telnet. for
>> example, you
>> plug into a arbitrary port in the university, and get your
>> address based
>> on dhcp. you are now completely blocked from communicating with
>> anyone. upon telnet'ing to a specific auth host, and putting in your
>> password, your port is now free to connect all over.
BN> That's cute. Exactly the same concept as the Lock and Key thing that Cisco
BN> support. Some vendors are now pushing "Directory Enabled Networks" that
BN> extend this concept (which is what I alluded to earlier). It's the same
BN> thing - get placed in a "holding" VLAN, auth to something (LDAPPY), then
BN> have the _switch_ reconfigure the port on the fly, expire your holding lease
BN> and give you a new DHCP address in your appropriate network. Devices can
BN> then just filter by IP addresses. Uh, after VLAN wrangling anyway.
BN> Things I don't like about it - it's based on VLANS and it means you need to
BN> buy more hardware / software. In addition, you need to munge your auth model
BN> into something supported by the DEN equipment. Shouldn't be hard in most
BN> cases though. Also, DEN requires switch smartness (which the open method
BN> above doesn't).
>>
>> the bsd box modified its ipf.rules and ipnat.rules tables on
>> the fly, and
>> loaded them into memory. the also constantly sent little heartbeats to
>> your host, and when you were no longer reachable, your ip address was
>> removed and the holes where closed back up.
BN> Yeah, the "little heartbeats" are part of why I don't like this solution.
BN> Also, in effect, you're basing the security on IP address. A combination of
BN> a DoS and fragrouter would enable a dedicated attacker to get around the
BN> system. Kerberos itself is vulnerable to password guessing attacks and (in
BN> special circumstances) replays. My crazy idea solves these problems, of
BN> course, since IPSec uses strong auth and the protocol protects against
BN> replays. Unless you're braindead and decide to use shared secrets or manual
BN> keying. Which you wouldn't. That would be braindead.
BN> Cheers,
BN> --
BN> Ben Nagy
BN> Network Consultant, Volante Solutions
BN> PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
BN> -
BN> [To unsubscribe, send mail to [EMAIL PROTECTED] with
BN> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
