If you are talking about routing and networking , a lot of universities are checking these matters and have come up with some interesting tools to handle it . For example Merit (www.radb.net) has sponsored a research to auto-configure the most used routers (Cisco , Bay , Juniper , Gated ) based on a RFC-defined database (RPSL). These tool create access-lists that will allow you to filter routing updates based on prefix filters, as paths etc. Here you also filter any reference to RFC1918 , called martians. On The major NAPS in the states these configs become to big for prefix lists and security will have to be based on as-path lists... however it STILL DOES THE TRICK. From our experience using these techniques does not decrease the performance but increases the security. From a mangement perspective, as these tools are auto-updated , this is also very acceptable..
If we are talking about ISP serverfarms , then they should be punished for not using spoof alerts on their firewalls.. it is not difficult and is one of the first things you learn on a security course..
SSH has a protocol that doesn not poll to keep it's session active : You can completely pull out your routes , wait for 5 minutes and you can continue.. This might sound OK , but it also has a downfall: as long as you are not typing , there is no traffic generated from your side. If you would pass for example a Checkpoint Firewall , the tcp timeout in the root checkpoint config will close the connection after the defined tcp timeout , usually 30 minutes. Even running a tunnel with X for example will not help as the tunnel traffic does not get counted ( I do not know why ) The work around we have created here is to start a script in the background that shows the date every 25 minutes, this the looks like you have a person typing in 'date' and keeps the tcp session up and running..
Slashdot Mirror
Performance is one thing , security another .
... however it STILL DOES THE TRICK. From our experience using these techniques does not decrease the performance but increases the security. From a mangement perspective, as these tools are auto-updated , this is also very acceptable..
If you are talking about routing and networking , a lot of universities are checking these matters and have come up with some interesting tools to handle it . For example Merit (www.radb.net) has sponsored a research to auto-configure the most used routers (Cisco , Bay , Juniper , Gated ) based on a RFC-defined database (RPSL). These tool create access-lists that will allow you to filter routing updates based on prefix filters, as paths etc. Here you also filter any reference to RFC1918 , called martians.
On The major NAPS in the states these configs become to big for prefix lists and security will have to be based on as-path lists
If we are talking about ISP serverfarms , then they should be punished for not using spoof alerts on their firewalls.. it is not difficult and is one of the first things you learn on a security course..
SSH has a protocol that doesn not poll to keep it's session active : You can completely pull out your routes , wait for 5 minutes and you can continue .. ..
This might sound OK , but it also has a downfall:
as long as you are not typing , there is no traffic generated from your side. If you would pass for example a Checkpoint Firewall , the tcp timeout in the root checkpoint config will close the connection after the defined tcp timeout , usually 30 minutes. Even running a tunnel with X for example will not help as the tunnel traffic does not get counted ( I do not know why )
The work around we have created here is to start a script in the background that shows the date every 25 minutes, this the looks like you have a person typing in 'date' and keeps the tcp session up and running
Hope this helps
D.