Re: Wireless insecurity at NANOG meetings
How about just plainly blocking the most obvious holes, that is telnet and POP? If someone wants a direct telnet connection to a route server or something similar - open a hole with a web-based tool? Ok, then you say all unencrypted www traffic with plain username/pw.. SSH'ing everything back to home base is quite useful :) --Kauto
On Mon, 23 Sep 2002, Huopio Kauto wrote:
How about just plainly blocking the most obvious holes, that is telnet and POP? If someone wants a direct telnet connection to a route server or something similar - open a hole with a web-based tool? Ok, then you say all unencrypted www traffic with plain username/pw.. SSH'ing everything back to home base is quite useful :)
Configure hogwash (an evil snort hack which RSTs connections that match snort IDS rules) and create rules for unencrypted pop login, telnet login, web login things. That way you don't disturb encrypted versions on the same port numbers.. .. such for-you-own-good could be done by anyone on the wire vigilante style, not that anyone would endorse that (you're likely to screw up the rules and fry the network) ..
participants (2)
-
Greg Maxwell
-
Huopio Kauto