I couldn't disagree more. While it is true that network security is more than an engineering discipline, there are certainly major areas of security knowledge that fall within the realm of engineering. The poster asked specifically about technical tools for practical security.
Iptables is not a bad place to start for some practical, technical knowledge about security in IP networks. Take a look at the HOWTOs at www.netfilter.org. Another good tool to work with as you explore Iptables is nmap.
Shortly before the time of Beethoven, Mozart "stole" an extremely popular work which belonged to the Catholic church by transcribing it from memory after listening to a performance or two. Beethoven probably personally benefited from hearing this "bootleg" performed.
Mozart died in poverty despite leaving the world with a quantity and quality of music unparalleled by all but a few artists in the history of the world. Maybe he should have cared about his financial wellbeing more than his music, but he didn't. Thank you, Mozart.
I'm both a musician and a programmer, and I woud definitely say that theft is the wrong way to describe it.
You show it to a company and they copy it, sell it as their own and throw you out on your ass.
Selling it "as their own" implies plagiarism, which is completely different from a copyright violation. They can sell it all day long without complaint from me as long as they don't claim to have written the software without me. Credit should be given where credit is due. As long as I get that credit, then there is no problem. Even if I don't get credit, I wouldn't call it theft; I'd call it plagiarism.
SMTP does exactly what it's designers wanted it to do: provide universal delivery. Any message from any source, verifiable or not, will be reliably delivered to any valid recipient address. It's a very simple concept (and "simple" is what it is called), but it is very important that we have a protocol which meets this need.
Should we be using a limited delivery protocol for personal email rather than a universal delivery protocol? Maybe. But there will always be certain needs for universal delivery, and, if we don't completely destroy the system by implementing knee-jerk spam solutions, SMTP will always be there to meet those needs.
The problem isn't with SMTP; it is a problem inherent in any universal delivery system.
Anyway, I should also mention that I teach some specialized networking classes and a lot of my students are network administrators at colleges and universities, both large and small. Only a couple of those universities are planning any significant IPv6 implementations (beyond some research networks) within the next year or two.
To the best of my knowledge, that bit about the API calls is incorrect. Remote Desktop (gotta love Microsoft's way of turning common terminology into product names) uses the RDP 5.1 protocol, an incremental update to RDP 5.0, the remote display protocol used by Windows Terminal Service in Windows 2000. Version 5.1 adds some goodies like an audio channel, a serial channel, and better compression, but it's still basically a remote display protocol like RFB, ICA, or AIP.
If you are a professional cryptographer, you should know the answer to your own question. If you aren't a professional cryptographer, then chances are _very_ good that your technology will be broken or otherwise made useless as soon as it becomes public.
That's not to say you aren't an intelligent person, but it takes a lot more than one great mind to accomplish your claim, in my opinion.
Yes, Citrix is expensive. Yes, Microsoft demands a lot of money for the servers. A big Citrix installation can still save gobs of money vs. desktop PCs running Windows, however. Think about the savings of centralized administration and not having to provide on-site desktop support to all the users (who may not all be in a single location). Think about the power savings of thin clients vs. desktop machines. The power savings alone can add up to tens of thousands of dollars per year even for a small to medium sized organization.
The reason this is useful is that it allows a group of (perhaps constantly changing) network nodes to form a big cohesive network. It sounds like it creates isolated layer 2 cells and builds a single layer 3 network out of the cells, which I believe is what the Linksys WET11 does.
Compare this to the coherent layer 2 network which can be created with Spanning Tree Protocol by using OpenAP like these guys do.
Most WiFi access points do not support a mesh topology, but only support hub and spoke. With hub and spoke, you can only connect to the network if you have line of sight to a hub, but with a mesh network, you can connect via any other network node. Mmmmmmm. ..
Perhaps someone who actually got through the slashdotting can comment on the other features (compression, encryption, proxying, etc.)
It sounds like your network admins would benefit from one of my PacketShaper classes. Either that, or they just aren't aware of the port 80 problem; you should let them know.
No, UWF does not do this. Irvine is controlling P2P traffic so that it does not interfere with more legitimate uses of its network. UWF is trying to completely deny P2P traffic. There is a significant difference.
Why not use VNC? Maybe because VNC is riddled with security holes? Maybe because Timbuktu has killer Mac support? I'm not saying VNC would be a bad solution (I love VNC), but it isn't the only solution and is likely not the best solution. It might be the only open source solution.
They can. A PacketShaper can do exactly that. However, they've chosen to limit P2P applications because they (correctly) identified P2P as being the cause of severe congestion problems.
After all, their current method is worthless if people start using proxies, especially proxies across port 80.
And your method is worthless if people start creating tunnels through on-campus hosts which are outside of the dorm network. A few users will always find a way around any controls that are put in place. This school is doing a better job than most at providing quality of service for its dorm networks.
Slashdot Mirror
Uh, did you try following the link?
"First, Please read the Linux Advanced Routing and Traffic Control HOWTO at http://lartc.org/"
Cisco-like functionality is old hat. Cisco doesn't do any traffic classification this sophisticated. This is along the lines of what Packeteer does.
I couldn't disagree more. While it is true that network security is more than an engineering discipline, there are certainly major areas of security knowledge that fall within the realm of engineering. The poster asked specifically about technical tools for practical security.
Iptables is not a bad place to start for some practical, technical knowledge about security in IP networks. Take a look at the HOWTOs at www.netfilter.org. Another good tool to work with as you explore Iptables is nmap.
Shortly before the time of Beethoven, Mozart "stole" an extremely popular work which belonged to the Catholic church by transcribing it from memory after listening to a performance or two. Beethoven probably personally benefited from hearing this "bootleg" performed.
Mozart died in poverty despite leaving the world with a quantity and quality of music unparalleled by all but a few artists in the history of the world. Maybe he should have cared about his financial wellbeing more than his music, but he didn't. Thank you, Mozart.
I'm both a musician and a programmer, and I woud definitely say that theft is the wrong way to describe it.
You show it to a company and they copy it, sell it as their own and throw you out on your ass.
Selling it "as their own" implies plagiarism, which is completely different from a copyright violation. They can sell it all day long without complaint from me as long as they don't claim to have written the software without me. Credit should be given where credit is due. As long as I get that credit, then there is no problem. Even if I don't get credit, I wouldn't call it theft; I'd call it plagiarism.
SMTP does exactly what it's designers wanted it to do: provide universal delivery. Any message from any source, verifiable or not, will be reliably delivered to any valid recipient address. It's a very simple concept (and "simple" is what it is called), but it is very important that we have a protocol which meets this need.
Should we be using a limited delivery protocol for personal email rather than a universal delivery protocol? Maybe. But there will always be certain needs for universal delivery, and, if we don't completely destroy the system by implementing knee-jerk spam solutions, SMTP will always be there to meet those needs.
The problem isn't with SMTP; it is a problem inherent in any universal delivery system.
Holy cow, I got a FP!
Anyway, I should also mention that I teach some specialized networking classes and a lot of my students are network administrators at colleges and universities, both large and small. Only a couple of those universities are planning any significant IPv6 implementations (beyond some research networks) within the next year or two.
None of the organizations I work directly with are even thinking about IPv6.
> The Constitution doesn't say you can read
> whatever you want, only that you can say
> whatever you want.
Fortunately, the Supreme Court has found those
two things to be equivalent.
This stuff has been around for a while. A guy I know works for a company that does this at sea.
To the best of my knowledge, that bit about the API calls is incorrect. Remote Desktop (gotta love Microsoft's way of turning common terminology into product names) uses the RDP 5.1 protocol, an incremental update to RDP 5.0, the remote display protocol used by Windows Terminal Service in Windows 2000. Version 5.1 adds some goodies like an audio channel, a serial channel, and better compression, but it's still basically a remote display protocol like RFB, ICA, or AIP.
I already have it: KDE 3.0.4
If you are a professional cryptographer, you should know the answer to your own question. If you aren't a professional cryptographer, then chances are _very_ good that your technology will be broken or otherwise made useless as soon as it becomes public.
That's not to say you aren't an intelligent person, but it takes a lot more than one great mind to accomplish your claim, in my opinion.
Wow. I'm happy to be wrong. :-)
I bet X is open on tcp/6000. That alone is more than enough reason to firewall by default.
Yes, Citrix is expensive. Yes, Microsoft demands a lot of money for the servers. A big Citrix installation can still save gobs of money vs. desktop PCs running Windows, however. Think about the savings of centralized administration and not having to provide on-site desktop support to all the users (who may not all be in a single location). Think about the power savings of thin clients vs. desktop machines. The power savings alone can add up to tens of thousands of dollars per year even for a small to medium sized organization.
The reason this is useful is that it allows a group of (perhaps constantly changing) network nodes to form a big cohesive network. It sounds like it creates isolated layer 2 cells and builds a single layer 3 network out of the cells, which I believe is what the Linksys WET11 does.
Compare this to the coherent layer 2 network which can be created with Spanning Tree Protocol by using OpenAP like these guys do.
Most WiFi access points do not support a mesh topology, but only support hub and spoke. With hub and spoke, you can only connect to the network if you have line of sight to a hub, but with a mesh network, you can connect via any other network node. Mmmmmmm. . .
Perhaps someone who actually got through the slashdotting can comment on the other features (compression, encryption, proxying, etc.)
It sounds like your network admins would benefit from one of my PacketShaper classes. Either that, or they just aren't aware of the port 80 problem; you should let them know.
Throttling creates a shit load of traffic inself.
not if they use TCP rate control (which a PacketShaper can do)
I wonder if the packet shaper can throttle per MAC address
It can.
my kingdom for a moderator point
No, UWF does not do this. Irvine is controlling P2P traffic so that it does not interfere with more legitimate uses of its network. UWF is trying to completely deny P2P traffic. There is a significant difference.
Why not use VNC? Maybe because VNC is riddled with security holes? Maybe because Timbuktu has killer Mac support? I'm not saying VNC would be a bad solution (I love VNC), but it isn't the only solution and is likely not the best solution. It might be the only open source solution.
They can. A PacketShaper can do exactly that. However, they've chosen to limit P2P applications because they (correctly) identified P2P as being the cause of severe congestion problems.
After all, their current method is worthless if people start using proxies, especially proxies across port 80.
And your method is worthless if people start creating tunnels through on-campus hosts which are outside of the dorm network. A few users will always find a way around any controls that are put in place. This school is doing a better job than most at providing quality of service for its dorm networks.
If you care about this issue, you may be interested in the activities of the Freedom to Read Foundation