Penetration Testing mailing list archives
RE: Layer 3 and Firewall
From: "Starkey, Kyle (Salt Lake City)" <Kyle.Starkey () fishnetsecurity com>
Date: Thu, 19 Oct 2006 13:05:18 -0500
Folks... While I agree that there is a certain level of trust that needs to be allowed your network/security admin personnel, this doesn't mean that you can't implement logging and monitoring to keep them honest. This relies heavily on the idea of separation of duties, admin is one group and monitoring and change management should be different groups. If there are more people involved in the monitoring and administration then it will require some collusion of employees to defraud the organization. Possibly an automated login and configuration gathering tool would help you to keep and eye on your admin groups. The system would have to be setup to login on every X minutes to check the configuration against the current "known-good" config. Additionally it would need to be monitoring the logs from all devices and do config checks every few moments between when an admin has logged in and logged out (checking to see how the admin has made changes and alerting review when they have deviated from the approved config). Now that I say that I am not sure you can have multiple users on IOS logged in with access to the running config, but this sort of system would help to solve this particular issue.... Ramblings from a paranoid soul at 30,000 ft... -Kyle -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of DaKahuna Sent: Friday, October 06, 2006 7:08 PM To: pen-test () securityfocus com Subject: Re: Layer 3 and Firewall
Could you be more specific on the technical solution- because that is what I am looking for urgently? I am not worried about VLAN hopping or any other user-inititated attack ? . I am only worried about the switch admin playing foul.
If you can't trust your switch admin then you need to replace him with someone you can trust. Administrator's are people in a position that requires unequivocal trust. In order to be effective in their jobs they need to be privileges that go beyond those of normal users. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Layer 3 and Firewall dubaisans dubai (Oct 05)
- RE: Layer 3 and Firewall Paul Melson (Oct 05)
- RE: Layer 3 and Firewall Joseph McCray (Oct 06)
- RE: Layer 3 and Firewall Paul Melson (Oct 06)
- Re: Layer 3 and Firewall dubaisans dubai (Oct 06)
- Re: Layer 3 and Firewall DaKahuna (Oct 07)
- Re: Layer 3 and Firewall Rocky (Oct 25)
- Re: Layer 3 and Firewall FITNC--Kelvin Tarver (Oct 26)
- RE: Layer 3 and Firewall Joseph McCray (Oct 06)
- RE: Layer 3 and Firewall Paul Melson (Oct 05)
- <Possible follow-ups>
- RE: Layer 3 and Firewall Starkey, Kyle (Salt Lake City) (Oct 19)