Lets step back from the problem and review the difference between PAT and NAT.
PAT (Port Address Translation) is the most common way of sharing a single Public IP address with many hosts. think ONE -> MANY.
NAT (Network Address Translation) is the process of having a single Public IP address point to a single internal address.
You problem is simple, the solution is to simply increase your NAT pool to the amount of internal clients. This does require more public IP addresses as you stated, however it does not mean everyone gets a direct public address. you can have internal users REQUEST a NAT address rather then a PAT (shared) address. The amount of people requesting NAT may not be the entire dorm. and you can still apply your normal firewall rules, just permit the port serverices you wish (in your case its bittorent). In some situations like DSL, the DSLAM can do this for you, and you can even charge the dorm users who want their one NAT address more in fee's or similar if needed to pay for your new IP SWIP.
I'm not a big bittorent user, however users should be able todo what they wish, thats what a EUA is for. don't blame technology, just use it the way the RFC describes it, not how vendors lock you in.
In large environments its a good idea to deploy some type of QoS. Use basic rules to provide equal resources to each network device if resources are maxed. On the Fly rules can be added to limit virus or other traffic to a minimum in a problem situation. Also in many university networks I'm worked on a basic QoS rule for P2P will also save critical network resources while not restricting P2P usage all together. (not all P2P is bad remember and its not your job to invade traffic privacy until you're forced to)
Re:2 hours = Useful project?
on
IT Literacy Test
·
· Score: 2, Funny
http://biz.yahoo.com/prnews/041108/nym043_1.html Anyone else notice the literacy article has a mistyped url at the end of this story, thus it does not work correctly?.. So much for IT literacy..
1) If Vulnerability information is sold at a premium, then those of us who find vulnerability should receive the largest royalties. Is it fair for us researchers to basically blackmail vendors.
2) Should vulnerability information be disclosured only after a GNU (type) agreement is made to outline the correct (non-profit) behavior in vulnerability mitigation and proper credit?
Microsoft has been very good at giving credit to researchers etc, and I believe they (like many others) are successfully jumping on the security bagwagon, however the overall conclusion for security problems is this.
Should the vendor pick up the cost of vulnerabilities as apart of the development q/a process, or should the consumer allot a budget for this and assume this as normal business costs?
If the latter is true, should software companies be rated on their product/service security history as a sign of good business/product?
What about opensource projects, take Bind and djbdns. I know vixie personally and have attended a bernstein lecture in chicago. They _BOTH_ are good people, however bind is the overwhelming standard for dns servers. Should bernstein charge for vulnerability information? Hells no, but he does offer money to someone who finds a vuln in his software. Why don't WE as consumers receive some of our money back when there is a vulnerability in the software I purchased? Especially if the vendor is receiving money (in the form of premier service contracts, or direct revenue explicitly for vuln info) to deal with the problem.
I will be honest and admit I see both sides of the situation, however IMHO this will only lead to more 0day posts of vuln+exploit code publically or shading business practices.
My conclusion is this;
For Profit vendors (Enterprise and Consumer) should have an auto update function, and secondly the vendor should provide loyal customers discounts (in an amount equal to the criticality of the vulnerability to 50% the cost of the software which was vulnerable; and any additional cost if legally proven) on future products for each vulnerability which affects the customer.
For example, if I buy a single copy of windows xp at $100, and a vulnerability was found which opens a remote system level compromise I should receive an auto update and $50 credit off a future microsoft products. Vendors won't like this solution but $1million oracle deployments will daily critical vulns deserve it. Microsoft really wouldn't be ruined by something like this, no more then the patent lawsuit bullshit.
Now I am one for dismissing most things, but really.. someone tell me if its not alittle fishy that the latest worms have been "cleaning up" systems.. welchi.. fixes vulnerabilities.. now this worm basically crashes vulnerable systems forcing the owner to reinstall possible a "newer" version of OS..
As for as a long term solution, the latest worms actually haven't "compromised" anyone's data.. and the worst they've done is create downtime causing the importance of patching/upgrading to be visible on the executive's agenda.
I've used blackice before, among other personal firewalls.. they all have one thing in common, the simple product is designed with "bells and whistles" that increase the amount of attackable points in the software.. keep it simple..
Sounds more like a html based email, accessing some type of a remote object.. Seems the govn't has a new name for an old technique spammers used years ago to verify read mail.
I respect our govern't, but how many agents does it take to market old techniques:)
General topic on Microsoft
on
Special Ops
·
· Score: 1
Although I admit I'm partial to the book, it should be noted that the DNS chapter is unbiased; covering the dns infrastructure, BIND, DJBDNS, and MSDNS.
-Start with a good understanding of the technology with sys-admin's experience. -Read TCP/IP Illustrated Volume I -Read Applied Cryptography -Read Hacking Exposed 4 (shameless plug) or other similar books directly related to hacking activities and have a good networking security section -Install an old OS version and hack it, understand the flaw and how to fix it. -Understand and be comfortable with coding. -Understand the purpose and how to use these well know tools http://www.insecure.org/tools.html -Pass the CCNP and CISSP tests, I would expect this of any good consultant. -Ask questions, but read http://www.linuxsilo.net/docs/smart-questions-en.h tml first. -www.cymru.com -phenoelit.de -qorbit.net
General Topics to understand first hand, and experience. -Firewall
http://www.qorbit.net/documents/maximizing-firewal l-availability.htm -IDS -Dynamic Routing
Internet Routing Architectures - Bassam Halabi -IPSEC -SSL
Create your own CA, understand the downfalls of our current system -Token based authentication
RSA and Authenex have free demo packages -DNS -packetstormsecurity tools
Try and CONTRIBUTE to non-corporate activities; specifically the opensource community -VPN -GLB, HIPPA, FIPS security policy -Wireless (not just 802.11a/b/g) Security Methodology -General Cryptography Overview
Know the pro's con's of using AES instead of 3DES for exmple.
Most of all, try and understand things from scratch, read old exploits and advisories and understand the exact source of problems. I've attended and taught several security courses; none of the 7 day security braindumps will make you an expert consultant, you need to think outside the box, and be paranoid on your own. Be one of the few individuals which check the MD5 sums of apps, uses PGP for all sensitive emails, dosen't send enable passwords via AIM or nextel two way, and pushes their snmpv1(v3!) traffic over IPSEC tunnels just because it runs through a piece of fiber in 1 whilsire (shudder!!). An important subject which very few articles cover is your personal habits, be organized, document, and share security responsibility and paranoia with other admins in your organization; this is by far the largest hurdle and largest downfalls of many.
(please excuse any mispellings, gramar, limited details, and bad formatting)
> I am aware of what the NSA considers to be a secure network, but, honestly, who has read that stuff?
I honestly have read every NSA guide publically available on nsa.gov, they are usually indepth and are a good starting point(with the exception of the DNS guide). I don't blindly accept everything they say, however its my tax dollars working for me for once.
I agree that credit checks and overall background checks are invasive. From the employeers point of view it makes their job easier to filter out "bad" candidates. I personally have ad top secret background checks and a polygraph. I don't believe either of then MADE me a better candidate. I am a strong believe in privacy, but this is a hard subject. I would run your credit privatly, and have an acredited state notiry return a rating, without including specifics of your history.
The idea of biometrics ( probably finger not retina ) for identity is one of the most trusted forms of identification. I am for a more faithful identification process. I for one would like to use technology for improvement. The situation is not biometrics, its need. Does the government NEED to take these steps to govern the people. I for one believe the world is ready for it, I will be pulled kicking and screaming but will be forced to conform. As some states already have my fingerprint on file, that is the same as having it on a smartcard. Authentication has three levels ( for beginners here ) something you have ( drivers license ) , something you know ( possibly drivers license PIN ) and something you are ( biometrics ) . If these steps are put to use, there would be highest of difficulty to fake this process. I am one to keep my opinion out of gossipy government. I do hope to see new toys. I feel sorry for the college kids and their fake id shops. ENJOY
Also, I would like to note, I change my password every 30 days. If I keep this up for biometrics.... I am only secure for 10 months. Toes.. 20 months.. remember biometrics are only as safe as the environment they are used in.
Anything is can be used in malicious ways. This goes back to limiting information, or closed source is secure source. Purchasing weapons (eg guns, knives ) is not a crime, only when they are used maliciously. The same should go with code.
Slashdot Mirror
Lets step back from the problem and review the difference between PAT and NAT.
PAT (Port Address Translation) is the most common way of sharing a single Public IP address with many hosts.
think ONE -> MANY.
NAT (Network Address Translation) is the process of having a single Public IP address point to a single internal address.
You problem is simple, the solution is to simply increase your NAT pool to the amount of internal clients.
This does require more public IP addresses as you stated, however it does not mean everyone gets a direct public address. you can have internal users REQUEST a NAT address rather then a PAT (shared) address.
The amount of people requesting NAT may not be the entire dorm. and you can still apply your normal firewall rules, just permit the port serverices you wish (in your case its bittorent). In some situations like DSL, the DSLAM can do this for you, and you can even charge the dorm users who want their one NAT address more in fee's or similar if needed to pay for your new IP SWIP.
I'm not a big bittorent user, however users should be able todo what they wish, thats what a EUA is for. don't blame technology, just use it the way the RFC describes it, not how vendors lock you in.
In large environments its a good idea to deploy some type of QoS. Use basic rules to provide equal resources to each network device if resources are maxed. On the Fly rules can be added to limit virus or other traffic to a minimum in a problem situation. Also in many university networks I'm worked on a basic QoS rule for P2P will also save critical network resources while not restricting P2P usage all together. (not all P2P is bad remember and its not your job to invade traffic privacy until you're forced to)
http://biz.yahoo.com/prnews/041108/nym043_1.html
.. So much for IT literacy..
Anyone else notice the literacy article has a mistyped url at the end of this story, thus it does not work correctly?
"http://www.ets.org\ictliteracy"
I have two issues with this.
1) If Vulnerability information is sold at a premium, then those of us who find vulnerability should receive the largest royalties. Is it fair for us researchers to basically blackmail vendors.
2) Should vulnerability information be disclosured only after a GNU (type) agreement is made to outline the correct (non-profit) behavior in vulnerability mitigation and proper credit?
Microsoft has been very good at giving credit to researchers etc, and I believe they (like many others) are successfully jumping on the security bagwagon, however the overall conclusion for security problems is this.
Should the vendor pick up the cost of vulnerabilities as apart of the development q/a process, or should the consumer allot a budget for this and assume this as normal business costs?
If the latter is true, should software companies be rated on their product/service security history as a sign of good business/product?
What about opensource projects, take Bind and djbdns. I know vixie personally and have attended a bernstein lecture in chicago. They _BOTH_ are good people, however bind is the overwhelming standard for dns servers. Should bernstein charge for vulnerability information? Hells no, but he does offer money to someone who finds a vuln in his software. Why don't WE as consumers receive some of our money back when there is a vulnerability in the software I purchased? Especially if the vendor is receiving money (in the form of premier service contracts, or direct revenue explicitly for vuln info) to deal with the problem.
I will be honest and admit I see both sides of the situation, however IMHO this will only lead to more 0day posts of vuln+exploit code publically or shading business practices.
My conclusion is this;
For Profit vendors (Enterprise and Consumer) should have an auto update function, and secondly the vendor should provide loyal customers discounts (in an amount equal to the criticality of the vulnerability to 50% the cost of the software which was vulnerable; and any additional cost if legally proven) on future products for each vulnerability which affects the customer.
For example, if I buy a single copy of windows xp at $100, and a vulnerability was found which opens a remote system level compromise I should receive an auto update and $50 credit off a future microsoft products. Vendors won't like this solution but $1million oracle deployments will daily critical vulns deserve it. Microsoft really wouldn't be ruined by something like this, no more then the patent lawsuit bullshit.
Now I am one for dismissing most things, but really.. someone tell me if its not alittle fishy that the latest worms have been "cleaning up" systems.. welchi.. fixes vulnerabilities.. now this worm basically crashes vulnerable systems forcing the owner to reinstall possible a "newer" version of OS..
As for as a long term solution, the latest worms actually haven't "compromised" anyone's data.. and the worst they've done is create downtime causing the importance of patching/upgrading to be visible on the executive's agenda.
I've used blackice before, among other personal firewalls.. they all have one thing in common, the simple product is designed with "bells and whistles" that increase the amount of attackable points in the software.. keep it simple..
Sounds more like a html based email, accessing some type of a remote object..
:)
Seems the govn't has a new name for an old technique spammers used years ago to verify read mail.
I respect our govern't, but how many agents does it take to market old techniques
Although I admit I'm partial to the book, it should be noted that the DNS chapter is unbiased; covering the dns infrastructure, BIND, DJBDNS, and MSDNS.
-Start with a good understanding of the technology with sys-admin's experience.h tml first.t
l l-availability.htm
-Read TCP/IP Illustrated Volume I
-Read Applied Cryptography
-Read Hacking Exposed 4 (shameless plug) or other similar books directly related to hacking activities and have a good networking security section
-Install an old OS version and hack it, understand the flaw and how to fix it.
-Understand and be comfortable with coding.
-Understand the purpose and how to use these well know tools http://www.insecure.org/tools.html
-Pass the CCNP and CISSP tests, I would expect this of any good consultant.
-Ask questions, but read http://www.linuxsilo.net/docs/smart-questions-en.
-www.cymru.com
-phenoelit.de
-qorbit.ne
-Mailinglists
-bugtraq
-nanog
-isp-security
-checkpoint
-CERT
-first.org
-honeypot
General Topics to understand first hand, and experience.
-Firewall
http://www.qorbit.net/documents/maximizing-firewa
-IDS
-Dynamic Routing
Internet Routing Architectures - Bassam Halabi
-IPSEC
-SSL
Create your own CA, understand the downfalls of our current system
-Token based authentication
RSA and Authenex have free demo packages
-DNS
-packetstormsecurity tools
Try and CONTRIBUTE to non-corporate activities; specifically the opensource community
-VPN
-GLB, HIPPA, FIPS security policy
-Wireless (not just 802.11a/b/g) Security Methodology
-General Cryptography Overview
Know the pro's con's of using AES instead of 3DES for exmple.
Most of all, try and understand things from scratch, read old exploits and advisories and understand the exact source of problems. I've attended and taught several security courses; none of the 7 day security braindumps will make you an expert consultant, you need to think outside the box, and be paranoid on your own. Be one of the few individuals which check the MD5 sums of apps, uses PGP for all sensitive emails, dosen't send enable passwords via AIM or nextel two way, and pushes their snmpv1(v3!) traffic over IPSEC tunnels just because it runs through a piece of fiber in 1 whilsire (shudder!!). An important subject which very few articles cover is your personal habits, be organized, document, and share security responsibility and paranoia with other admins in your organization; this is by far the largest hurdle and largest downfalls of many.
(please excuse any mispellings, gramar, limited details, and bad formatting)
>Techdirt, interestingly, took the contact info down because they feel that no one should get spammed.
Site which displays contact information and tracking stories/comments on spammers,
Spamhaus
> I am aware of what the NSA considers to be a secure network, but, honestly, who has read that stuff?
I honestly have read every NSA guide publically available on nsa.gov, they are usually indepth and are a good starting point(with the exception of the DNS guide). I don't blindly accept everything they say, however its my tax dollars working for me for once.
I agree that credit checks and overall background checks are invasive. From the employeers point of view it makes their job easier to filter out "bad" candidates. I personally have ad top secret background checks and a polygraph. I don't believe either of then MADE me a better candidate.
I am a strong believe in privacy, but this is a hard subject. I would run your credit privatly, and have an acredited state notiry return a rating, without including specifics of your history.
The real news, fuckedcompany has a FORGED memo. and the ntobjectives thing is touchy though its my opinion it has been handled as best as possible.
keep an eye out for more vuln advisories from r&d.
The idea of biometrics ( probably finger not retina ) for identity is one of the most trusted forms of identification. I am for a more faithful identification process. I for one would like to use technology for improvement. The situation is not biometrics, its need. Does the government NEED to take these steps to govern the people. I for one believe the world is ready for it, I will be pulled kicking and screaming but will be forced to conform. As some states already have my fingerprint on file, that is the same as having it on a smartcard. Authentication has three levels ( for beginners here ) something you have ( drivers license ) , something you know ( possibly drivers license PIN ) and something you are ( biometrics ) . If these steps are put to use, there would be highest of difficulty to fake this process. I am one to keep my opinion out of gossipy government. I do hope to see new toys. I feel sorry for the college kids and their fake id shops. ENJOY
.. 20 months .. remember biometrics are only as safe as the environment they are used in.
Also, I would like to note, I change my password every 30 days. If I keep this up for biometrics.... I am only secure for 10 months. Toes
Anything is can be used in malicious ways. This goes back to limiting information, or closed source is secure source. Purchasing weapons (eg guns, knives ) is not a crime, only when they are used maliciously. The same should go with code.