Re: HTTP AUTH BASIC monowall.

[Nick FitzGerald <nick () virus-l demon co uk>]

Simon Smith wrote:

>     My concern isn't firewall management. My concern isn't with SSL
> going over the Internet. My concern is more with SSL on a LAN and that
> this IT tool and other similar tools can be compromised easily once a
> LAN is penetrated. Providing an extra layer of security within the SSL
> tunnel would help to prevent this tool and others like it from being
> compromised so easily. My first thought was on how to harden the
> authentication because the basic auth didn't cut it for me. Thats what I
> am looking for ideas for.

So, buy decent switches -- you know, properly configurable, managed 
ones -- and implement strict access control policies for _ALL_ 
equipment connected to the LAN.  Machine0001 with MAC ###### must 
connect to port 123 in room 101 of Building 3, etc, etc.  Disable _ALL_ 
unused ports.  Prevent all unknown devices from accessing the LAN at 
all.  Set serious alarms on all unknown device appearances, 
"unexpected" device disconnections, etc.

It's still not perfect, but _nothing is_ remember...

However, it will also (partly) fix a whole bunch of other problems for 
you as well.


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/