Not _firewalling_, but access limitation. Grandma can live with PNAT
router - she do not need any firewall, if she do not grant external access
to anything. She can live with Windows _default deny_ setting. If grandma
have extra money, it is better to purchase anty-virus.
Moreover. Just for _gh
You mean _PROTOCL HANDELING_, I believe.
I do not know, why people are paying so much attention to it. Important
questions are:
- which services are you providing for the public?
- who will handle all your SSL sessions, if any (may be, Load Balancers?
Then you do not bother about FW proxy for t
Hmm, if someone (except masochists and security vendiors) still hosts
efnet... I can only send them my condoleences.
I saw sthe same dialogs 6 years ago. Nothing changes.
- Original Message -
From: "Stephen J. Wilcox" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Is it bad, If they (your sysadmins) understand your backbone infrastructure
and understand such things, as MTU MTU discovery, knows about
ACL filters (without extra details) and existing limitations? They are not
required to know about VPN mode or T3 card configuration, but they must
understand ba
- Original Message -
From: "Scott Weeks" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, March 15, 2004 1:32 PM
Subject: Re: Platinum accounts for the Internet (was Re: who offers cheap
(personal) 1U colo?)
>
>
>
> On Mon, 15 Mar 2004, Alexei Roudn
I expect, that good (tier-3, to say) network engineer MUST know Windows and
Unix (== Linux, FreeBSD etc) on tear-2 (or better) level. Else, he will not
be able to troubleshout his _network problem_ (because they are more likely
complex Network + System + Application + Cable problem).
So, it is no
They are one of the best providers in Russia (and when I was there, in
Europe). I visited their NOC in Stokholm about 5 years ago, they used very
effective _common sense_ approach , combining brand names with brandless
when it is more effective, using both commercial and home made opensource
sof
We have the same freeware system, but I 100% agree with _you can not live
without it_.
- Original Message -
From: "Arnold Nipper" <[EMAIL PROTECTED]>
To: "McBurnett, Jim" <[EMAIL PROTECTED]>
Cc: "Alexei Roudnev" <[EMAIL PROTECTED]&g
ate 'cisco
update' based on 2 configurations (old and new)? We wrote such thing 4 years
ago (in Russia), but it was still limited to our scope of configurations.
- Original Message -
From: "McBurnett, Jim" <[EMAIL PROTECTED]>
To: "Alexei Roudnev"
Just for information - may be useful for someone.
Task - we determined, that few infected machines was connected to one of our
offices few days ago.
They run one of this viruses, which generated a lot of scans and created
sugnificant traffic (but traffic was not
big enough to rais alarm on outgoi
Moreover, they can encrypt zip by password and write password inside the
message. As a result, no one virus scan detect
this virus.
And they will find enough idiots, who opens zip, enter password and run
virus.
- Original Message -
From: "Todd Vierling" <[EMAIL PROTECTED]>
To: "Curtis M
>
> Is it still very counter intuitive to set up a PIX to _not_
> do the eevul NAT? Is the PIX no longer PeeCee hardware underneath
> (I know they got rid of the HDD) so not as to bring NOs down to the
> level of the great unwashed throngs of desktop users?
Of course, PIX is still a CISCO - this
Checkpoint is a very strange brand. On the one hand, it is _well known
brand_, _many awards_, _editors choice_, etc etc. I know network consultant,
who installed few hundred of them, and it works.
On the other hand, every time, when I have a deal with this beasts (we do
not use them, but some our
So, instead of changing 'visialization' part of IE, MS give up and decided
to drop important piece of standard?
Ok, you can always show HOST name in URL, dim user name, and position
location so that you can see real host. You can show a warning, if user name
looks like real domain name (have . in
I rather treat this patch as a _bug_. user:[EMAIL PROTECTED] format is used (I
have 3 or 4 instances in monitoring system, to allow automatic proxy
onto the system with 'guest' user name, for example). To block scam, it was
sufficient to restrict username length, or to set up a checkbox in explor
Spam is VERY EFFECTIVE. It _really_ increase sales. People (yes, and me
too -:)) read SPAM and
sometimes find interesting things. (Example - yopu can hate spam, but if you
call Europe every day, and you see $.03/minute adv for long distance, you
will remember it).
Problem is, that spam is not sel
Wolf was real;
Boy was a bad boy;
Now he is dead, not because he was eaten by the wolf, but because he
decided to hide under the water and suffocate -:)
Grand humor! -:)
PS. I do not see this virus in our networks (except may be East Europe where
I can not see exact data, but I can see traffic
If I install code, I'd like to know, when installation is trying to make
_administrative_ change, explicitly - so that I have a chance to say YES or
NO. In Windows, it is not implemented in installations - you _must_ begin
installation as admin.
Another big problem is permission system and direct
>
> Most Windows boxes are running with administrative privledges. That makes
> Windows a willing accomplice. The issue isn't that people click on
> attachments, but that there are no built in safeguards from what happens
> next.
This is problem #1. Unfortunately, Windose is too complex and hav
RedHAT do not allow to run an attachment, even if attachment wish to be
runned - it uses 'x' flag which is not attachment's attribute. Linus useers
are niot Administrator's, so virus can not infect the whole system,... Etc
etc
(Why RedHAT? It is the worst Lunux amongs all. Use SuSe or Mandrak
>
>
>
> : They rate of it is quite surprising. By the description, the trick /
> : method of infection does not seem all that different than past worms
> : viri. Makes me wonder how many people in a room would reach into their
> : purse/pocket on hearing, "Wallet inspector"
>
>
> Every sin
Sorry; of course, I meant _change MTU_.
>
>
> Both the ISL _and_ the Dotq headers are stripped off at the trunk
> interface so they _both_ change the packet size but neither alters the
> payload.
>
>
> Scott C. McGrath
>
> On Mon, 26 Jan 2004 [EMAIL PROTECTED] w
So what? Is is a sugnificant drawback? I do not think so. Both ISL and
802.1q require special interface cards (with extended frame size), and I do
not see any reason, why 26 bytes vs 4 bytes makes big difference. /May be,
the only pro for 802.1q tagging is it's possible implementation on the old
It's a benefit. I do not want to support 100 different vendors with 100
different sets of bugs, 100 different methods to save / restore
configurations, 100 different ways for authentication, etc etc... Today, it
is a benefit.
>
> > > 3550 runs IOS.
> >
> > this is a benefit, especially in a swit
>
> > PS. How much ethernet ports do you have in the office? Do you have 100 K
> > ports? If not, why do you need 128K MAC's? (I know only one case, when I
> > need so much - some kind of DSL service...
>
> I guess you're not into metro networking.
This is one of my exceptions - you really need 12
ISL _DOES NOT CHANGE_ packet size.
> Is it April 1st? ISL changes the size of packets, does it not? So know
> you have to deal with MTU issues. What happens when I want the biggest
> MTU possible? I know it is not much a difference in size, but for some
> people, size does matter.
>
> I am q
echnically, yes, CEF (with packet dropping) is not good
to provide 2 Mbit by 100 Mbit link.
>
> On Sun, 25 Jan 2004, Alexei Roudnev wrote:
>
> > Of course, if they want L3 routing on every box (I do not like such
idea,
> > but it's possible), then 3550 (or what do th
>
To: "Alexei Roudnev" <[EMAIL PROTECTED]>
Cc: "ken emery" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Sunday, January 25, 2004 10:17 PM
Subject: Re: Any 1U - 2U Ethernet switches that can handle 4K VLANs?
> On Sun, 25 Jan 2004, Alexei Roudnev wrot
L3 switchiong is just term for idiots - it is ROUTING in old terms. So,
VLAN's means _routing_.
The point of using VLAN's is that, in many cases, IP routing for VLANs is
provided by the switching fabric, very effectively. And that you have
universal patching - everything is very flexible. But ..
VLANs?
>
> On Sun, 25 Jan 2004, Alexei Roudnev wrote:
>
> > 1) Use Cisco 2924 or 3524
>
> Didnt you mean 2950 and 3550?
>
> --
> Mikael Abrahamssonemail: [EMAIL PROTECTED]
>
1) Use Cisco 2924 or 3524
2) Redesign your network to fit into 1024 VLANs
3) Do not spend time with junk (non Cisco, for the switches).
U1 switch have only 24 - 48 ports, so you never need to handle 2000 VLAN's
on it. And I suspect, that the whole design is wrong.
Do not build custom configuratio
>
> > My results vary from 15 minuts to 1 hour.
>
> Mine too. So nmap sucks if you want to quickly identify daemons running on
> strange ports. No big deal. This discussion wasn't about nmap to start
with.
> The point of the discussion was wether it made sense to run services on
> non-standard por
My results vary from 15 minuts to 1 hour.
run nmap -p1-65000 in automated tool (with 10 minutes / host, and
usually much more), you will scan Internet forever.
So, it pay off.
- Original Message -
From: "Fyodor" <[EMAIL PROTECTED]>
To: "Alexei Roudnev" <[EMAIL PROTECTED]>
Cc: "Ruben va
>
> Yes. But making a bomber "stealth" means designing it to be difficult
> to detect by an opponent. It doesn't mean painting "I am Not a
> Bomber, I Am The Ice Cream Man" on the side and hoping nobody takes a
> second glance at it.
This works as well. 6 years ago we set up faked telnet service
to deal with the rest 1%.
I'll measure time tomorrow... Such tools are usually very slow (and lost
20 - 50% of all packets, so to have a reliable result, you must scan host
2 - 4 times).
- Original Message -
From: "Crist Clark" <[EMAIL PROTECTED]>
To: "Alexei
Please, do it:
time nmap -p 0-65535 $target
You will be surprised (and nmap will not report applications; to test a
response, multiply time at 5 ). And you will have approx. 40% of packets
lost.
Practically, nmap is useless for this purpose.
>
> Somebody who isn't smart enough to do 'nmap -p 0
> >
> > (I did not rated firewalls etc).
>
> Actually, an automated script or manual scan can find it trivially.
> All you have to do is a quick port scan, looking for this:
We can make an experiment:
- I put such system (with ssh) on /26 network;
- you scan it, find and report me time and bandwid
Correct. Microsoft's problem is not security alone, but monoculture. If we
have all systems around Windows2003, we are exposed to risk of devastating
virus attack. No matter, how secure this Windows2003 is.
- Original Message -
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAI
>
> Uhm, that would be wrong. This is simply "security through obscurity".
Yes, it is wrong for the _smart books_. But it works in real life. Of
course, it should not be the last line of defense; but it works as a first
line very effectively.
If I rate safety as a number (10 is the best, 0 is t
>
> i wish you were right. i wish you were even close to right. but we've
been
> attacked many times over the years by some extremely smart adolescent
> psychopaths -- where adolescence is a state of mind in this case, rather
> than of years -- and i wish very much that they would either stop be
od method to detect keyboard
sniffer. So, if you are very serious about security, you must use active
defence.
- Original Message -
From: <[EMAIL PROTECTED]>
To: "Alexei Roudnev" <[EMAIL PROTECTED]>
Cc: "Rubens Kuhl Jr." <[EMAIL PROTECTED]>; <[EMAIL
The best anty-sniffer is HoneyPot (it is a method, not a tool). Create so
many false information (and track it's usage) that hackers will be catched
before they do something really wrong.
Who do not know - look onto the standard, cage like, mouse - trap with a
piece of cheese inside. -:)
- O
As I remember, it used commercial gated.
- Original Message -
From: "Nicole" <[EMAIL PROTECTED]>
To: "Vadim Antonov" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Thursday, January 15, 2004 7:02 PM
Subject: Re: PC Routers (was Re: /24s run amuck)
>
>
> On 15-Ja
Hmm; home equipment is, in many cases, much better than _industrial one_, if
you concern about price/perfoamce .
Good example - HD disks. Industrial SCSI disks are 2 steps behind home, IDE,
ones. Home made computer is, in many cases, much better than industrial
SERVER, from DELL.
Reason is very
And there is software mirror.
Purchase SuperMicro U1 server, with 2 9 Gb SCSI disks (hot swappable).
Install Linux SuSe with RAID-1.
Install WEBMIN for remote management.
(Of course, it's still worst than Cisco IOS, but it works).
- Original Message -
From: <[EMAIL PROTECTED]>
To: "Mic
There is one more interesting problem.
Let's, say, you install PC with ZEBRA and have all 120,000 prefixes.
Internet is _internet_, sometimes people make a crazy things,
and create a bad (misconfigured, or very long, or very unusual) announces.
Some announces are fatal for Cisco IOS, some for Zeb
{tcpdump || snort - as a agents} + ethereal.
Much better than $xx000 commercial sniffer(s) /I used both, and oput
commercial system into the wastebucket after comparation/.
Exception - if you need H.323, use commercial sniffers.
- Original Message -
From: "Yann Berthier" <[EMAIL PROTEC
uch
script).
- Original Message -
From: "Suresh Ramasubramanian" <[EMAIL PROTECTED]>
To: "Alexei Roudnev" <[EMAIL PROTECTED]>
Cc: "Frank Louwers" <[EMAIL PROTECTED]>; "Maarten Van Horenbeeck"
<[EMAIL PROTECTED]>; <[EMAIL
If they do this change, theyll break a tremendows number of systems around.
- Original Message -
From: "Frank Louwers" <[EMAIL PROTECTED]>
To: "Maarten Van Horenbeeck" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, January 07, 2004 3:38 PM
Subject: Re: Upcoming change to SO
>
> Many interesting network solutions that have to be dismissed outright
> because of IOS limitations, weaknesses or bugs can be easily expressed
> in newer systems, not just JUNOS.
Example, please.
(Agree with Jiniper OS for x86 - many people avoid Juniper because do not
know it).
ically - no any problem. (Legal issues are another story... in
States).
Alexei Roudnev
- Original Message -
From: "Eric M. Fiterman" <[EMAIL PROTECTED]>
To: "JC Dill" <[EMAIL PROTECTED]>
Cc: "nanog" <[EMAIL PROTECTED]>
Sent: Wednesday, Decemb
It is excellent, but _too late. Such features are useless, if you do not
have them on all devices, and no one can update all network gear to this new
version at once. So, it will be useful in 2 - 3 years -:).
- Original Message -
From: "Terry Baranski" <[EMAIL PROTECTED]>
To: "'Christoph
This is not dngerous - I do not expect any idiot, opening SNMP from outside
(SNMP is excellent protocol, which can crash ANY device in the world; I
crashed 6509 switch and PIX firewall in a few days, when debugged new
'snmpstat' system). And moreover, Cisco allows o lock IP and file name for
SNMP/
(it uses rcs instead
of cvs).
Alexei Roudnev
- Original Message -
From: "guy" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, November 25, 2003 2:54 PM
Subject: Re: [Activity logging & archiving tool]
>
>
> Don't forget that TACACS ca
I created _Cisco repository_ about 1 year ago, using Expect, cvs and CVSWEB,
for free, and since this, we did a few installation and are really happy
with it (we save all Cisco configs, including routers, 6509 switches, PIX-es
and this crazy VPN devices...). This is a simple tool, with the web
in
In reality, PAT provides 99.99% of all firewall protection, so if some _very
smart whitehat gay_ is writing _PNAT is not a firewall_, this means only,
that he is very far from reality. Show me, please, any attack, addressed to
the PNAT based system? PNAT is not enioough for a firewall to be a full
, which
makes cost of _prevention_ higher than cost of possible damage.
Alexei Roudnev
- Original Message -
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, November 13, 2003 1:40 PM
Subject: Re: FW: Cost of Worm Attack Protection
>
> It would be grea
I know, that e-bay used test to select a candidates, as well...
- Original Message -
From: "Fisher, Shawn" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Thursday, November 13, 2003 9:02 PM
Subject: Re: This may be stupid but
>
> I created a test of my own that
Recruiters can provide you a group of _average_ engineers, and do not
protect you from a heap of junk.
If you need a 100 new persons for your call center - it's a good way. If you
are looking for _Windows administrator, 100 desktops all Win2K or WinXP,
anti-virus, 2 domains - it is good method too
Recruiters can provide you a group of _average_ engineers, and do not
protect you from a heap of junk.
If you need a 100 new persons for your call center - it's a good way. If you
are looking for _Windows administrator, 100 desktops all Win2K or WinXP,
anti-virus, 2 domains - it is good method too
Recruiters can provide you a group of _average_ engineers, and do not
protect you from a heap of junk.
If you need a 100 new persons for your call center - it's a good way. If you
are looking for _Windows administrator, 100 desktops all Win2K or WinXP,
anti-virus, 2 domains - it is good method too
Recruiters can provide you a group of _average_ engineers, and do not
protect you from a heap of junk.
If you need a 100 new persons for your call center - it's a good way. If you
are looking for _Windows administrator, 100 desktops all Win2K or WinXP,
anti-virus, 2 domains - it is good method too
Recruiters can provide you a group of _average_ engineers, and do not
protect you from a heap of junk.
If you need a 100 new persons for your call center - it's a good way. If you
are looking for _Windows administrator, 100 desktops all Win2K or WinXP,
anti-virus, 2 domains - it is good method too
Use E-bay.
1)
Cisco 4700 or Cisco 4500 on EBAY, with 2FE card, is the cheapesr solution:
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=3055979445&category=28036
+
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=3055635959&category=28036
or
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&it
).
So, obsolete are not routers (esp. low end); obsolete is classification.
Alexei Roudnev
- Original Message -
From: "Richard A Steenbergen" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, October 30, 2003 10:08 AM
Subject
Alexei Roudnev
=
changed it -:)).
- Original Message -
From: "Scott Weeks" <[EMAIL PROTECTED]>
To: "Andy Dills" <[EMAIL PROTECTED]>
Cc: "Alexei Roudnev" <[EMAIL PROTECTED]>; "Nanog List" <[EMAIL PROTECTED]>
Sent: Thursday, May 23, 2002 12:10
We had a lot of BSDI routers in past (in RELCOM, Russia); it was a good solution
but there was always reliability problem:
- you should use professional-grade PC which is not too chip (not brand name but
something having good power supply, good and reliable fans, and so on...)
- you should inst
Sorry, I did such mistake 5 years ago last time -:). Of course, I mean 'guys'...
> > except _gay can read a books and can learn to answer a questions_.
>
>
> I know you're not a native speaker, but that doesn't make this any less
> hilarious.
>
> Andy
>
> xxx
>
> On Wed, 22 May 2002, Stephen Sprunk wrote:
>
> > Thus spake "Nigel Clarke" <[EMAIL PROTECTED]>
> > > Certifications are a waste of time. You'd be better off
> > > obtaining a Computer Science degree and focusing on the
> > > core technologies.
> >
> > If you're looking to write software, sure
> > A NAT'd cell phone
> > wont, cant ever, respond to an unsolicited connection request.
>
> A NAT is not a firewall.
>
> A firewall is not a NAT.
>
> Some vendors bundle firewall functionality with NAT functionality, just as
> some vendors bundle SNA with IP.
>
> Please stop perpetuating the my
NAT will not help you this case; in opposition, NAT will create the SINGLE
bottleneck (NAT router itself) which can not be easily upgraded (you can install
10 web servers instead of one; but you can not install 10 NAT's).
NAT is a good for the outgoing calls or to allow single service be visible
There is one more usefull policy to decrease effectiveness of attacks such as
DDOS.
This is _refusal_ policy. In case of SYN attack, if system ALWAYS accept SYN
packets, dropping old waiting half-open connections if there is not enougph room,
SYN attack became much less dangerous - if 90% traffi
201 - 274 of 274 matches
Mail list logo
