Re: Enterprise Multihoming

[Andrew Simmons]

John Neiberger wrote:


On another list we've been having multihoming discussions again and I
wanted to get some fresh opinions from you. 

Whilst the topic's under discussion may I present myself as a lightning
rod :) by asking:
(a) Has anyone here used any of the 'basement multi-homing in a box'
products such as Checkpoint's ISP Redundancy feature?
http://www.checkpoint.com/products/connect/vpn-1_isp_redundancy.html
(The 'VPN-1' brand is slightly misleading - it's a generic firewall.)
This allows edge networks to multihome between separate ISPs.  When it was
first mentioned around the office I explained that it couldn't possibly
work, and my colleagues explained to me that I was full of it and that the
product is on the market and in use. (It has subsequently been lab'd here
and seemed to work between our main link (UUnet) and a humble BT DSL line.)
As far as I understand it, it's a form of NAT - the device keeps track of
which session's packets are going where and spreads traffic around. If one
ISP goes down it'll fail over to the other link.
(b) I suspect the answer will be a vehement 'no!' -- if so, why? Obviously
this won't scale terribly well at the service provider level but for edge
networks - what's wrong with it?
Obviously this only works for outbound sessions but there are plenty of
large enterprises happy to keep the majority of inbound services (web etc)
off in a nice secure hosting centre where real netops will use BGP for real
multihoming.


cheers

\a

--
Andrew Simmons
Penetration Tester | Security Consultant
MIS Corporate Defence Solutions, Ltd.
Hermitage Court, Hermitage Lane, Maidstone, Kent ME16 9NT
Tel: 01622 723432 / Mobile: 07739 834833




































(sorry about the disclaimer - there's nothing I can do about it :(  )

The information contained in this message or any of its attachments may be privileged 
and confidential and intended for the exclusive use of the intended recipient.  If you 
are not the intended recipient any disclosure, reproduction, distribution or other 
dissemination or use of this
communications is strictly prohibited.   The views expressed in this e-mail
are those of the individual and not necessarily of MIS Corporate Defence Solutions 
Ltd.  Any prices quoted are only valid if followed up by a formal written quote.  If 
you have received this transmission in error, please contact our Security Manager on 
+44 (01622) 723410.
This email is intended for the recipient only and contains confidential information, some or all of which may be legally privileged. If you are not the intended recipient, you must not use, save, disclose, distribute, copy, print or rely on this email or any information contained within it. Please notify the sender by return and delete it from your computer. Thank you.

Re: sniffer/promisc detector

[Andrew Simmons]

Ruben van der Leij wrote:

+++ Alexei Roudnev [22/01/04 09:05 -0800]:

My results vary from 15 minuts to 1 hour.


Mine too. So nmap sucks if you want to quickly identify daemons running on
strange ports. No big deal. This discussion wasn't about nmap to start with.


Point of interest: Dan Kaminsky's scanrand (part of Paketto Keiretsu - 
www.doxpara.com, which seems to be down right now, but the Google cache 
works) is a very fast bulk scanner:

"During an authorized test inside a multinational corporation's class B,
 scanrand detected 8300 web servers across 65,536 addresses. Time elapsed:
 approximately 4 seconds."
http://www.pantek.com/library/general/lists/newsfeed.osdn.com/osdn-developer-txt-mm/msg1.html 

http://www.doxpara.com/ - down at present but Paketto is widely mirrored.

There was also a "scan the entire Internet" project a few years back which 
used BASS, a bulk scanner. (grep the report for 'they're hre' for a 
tale of uber hacking that makes the hair stand up on the back of my neck 
even today...)

BASS:
http://www.securityfocus.com/data/tools/network/bass-1.0.7.tar.gz
Report:
http://www.viacorp.com/auditing.html
\a

The information contained in this message or any of its attachments may be privileged 
and confidential and intended for the exclusive use of the intended recipient.  If you 
are not the intended recipient any disclosure, reproduction, distribution or other 
dissemination or use of this
communications is strictly prohibited.   The views expressed in this e-mail
are those of the individual and not necessarily of MIS Corporate Defence Solutions 
Ltd.  Any prices quoted are only valid if followed up by a formal written quote.  If 
you have received this transmission in error, please contact our Security Manager on 
+44 (01622) 723410.
This email is intended for the recipient only and contains confidential information, some or all of which may be legally privileged. If you are not the intended recipient, you must not use, save, disclose, distribute, copy, print or rely on this email or any information contained within it. Please notify the sender by return and delete it from your computer. Thank you.