swinog July 2008

swinog@lists.swinog.ch

31 participants
21 discussions

Re: Re: Re: Re: Re: Re: Re: Re: [swinog] The truth about UCEPROTECT-Blocklists

by f.jachiet＠gpstechnik.ch

Der von ihnen angeschriebene Mitarbeiter arbeitet nicht mehr bei der Firma GPS Technik AG. Bitte wenden sie sich an info(a)gpstechnik.ch oder 0041 44 732 99 77.

14 years, 6 months

AUTO: Moritz Höfer is out of the office (returning 12.08.2008)

by moritz.hoefer＠belsoft.ch

I am out of the office until 12.08.2008. Vielen Dank für Ihre Nachricht. Zur Zeit bin ich abwesend und habe nur limitierten E-Mail Zugang. Ihre Nachricht werde ich so bald wie möglich beantworten. Für dringende Angelegenheiten kontaktieren Sie bitte Markus Bommeli unter E-Mail: markus.bommeli(a)belsoft.ch oder per Telefon +41 (0)44 388 13 31. Thank you for your E-mail. I have only limited E-mail access, and I will respond to your message as soon as possible. For urgent matters please contact Markus Bommeli at the office. E-mail: markus.bommeli(a)belsoft.ch or phone +41 (0)44 388 13 31. Freundliche Grüsse / Kind regards, Moritz Höfer Note: This is an automated response to your message swinog Digest, Vol 42, Issue 15 sent on 31.07.2008 12:00:03. This is the only notification you will receive while this person is away. __________________________________________________________ Belsoft AG | IT Solutions Russenweg 26 | 8008 Zuerich | Switzerland Phone: +41 44 3881331 | Fax +41 44 3811611 info(a)belsoft.ch | http://www.belsoft.ch __________________________________________________________ This e-mail has been scanned for viruses and content. If you encounter any problems mailto:postmaster@belsoft.ch

14 years, 7 months

Securing Cisco Routers in a ISP network (management-plane?)

by Marco Fretz

Hi everyone, I'm preparing my routers for IPv6. Along with v6 support comes the requirement to secure router management / services for v6. Currently I've inbound access-lists on all inbound interfaces blocking management traffic (ssh, telnet, ftp, http, etc.) and things like SIP, etc. to all router v4 addresses. You can imagine that this a lot of maintenance work. So my idea was to use the new management-plane (control-plane) protection in IOS 12.4 T. http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htsecmpp.html Is there anyone using this already in ISP networks? What are the experience? You can define a loopback interface as management-interface and propagate the loopback addresses with IGP inside the management network. After that, all other interfaces are no longer accepting management traffic to the control-plane, right? Setting an inbound access-list on the loopback interface to filter management traffic may be a good idea, right? Is there any impact to BGP sessions? I sill need access-lists dropping BGP traffic to my router addresses and explicit allowing my bgp peers, right? Any suggestions / ideas welcome. Thanks and best regards Marco

14 years, 7 months

SwiNOG-BE64 - Beer Event 64 - 4th of August 2008 @ Juan Costa / Huerlimannplatz / ZH

by Steven.Glogger＠swisscom.com

hi everybody well... new beer event, new location. please register asap ,-) the facts for the next event: ----------------------------- Date: 4th of August 2008 Time: starting around 18.30 o'clock Location: @ the "Juan Costa" beside HuerlimannPlatz / Google www.juancosta.ch -> HuerlimannPlatz Registration deadline: 02.08.2008 18:00:00 Registration: ------------- Please register here: http://swinog.mrmouse.ch/ since we have to make reservations, i need to know who's coming and who not. If you cannot attend and you're registered please inform me asap. if you cannot find us: call me on my mobile: +41 79 277 92 35. greetings -steven

14 years, 7 months

Juniper & VPN to a dyndns site

by Josh Geisser

Hi Swinog I've noticed that quite a few Firewalls don't support VPN to a DNS name as peer, so you'll have to enter the remote IP , and better having a fixed IP on the remote site :) Does anyone know whether it's possible to enter a dyndns record as remote side on a Juniper Firewall? Cheers Josh

14 years, 7 months

2008 Infrastructure Security Survey

by Danny McPherson

Folks, The 2008 Infrastructure Security Survey is up and available for input. You can register to complete the survey at this URL: <https://www.tcb.net/survey/index.php?sid=19672&lang=en> I've added many questions this time from past participants of the survey, this should be evidenced throughout. Thanks to all those that reviewed and provided questions explicitly for this edition. The survey response window will be ~2 weeks. We hope to make the results available by the end of September at the latest. Also, please recall that NO personally (or organizationally) identifiable information will be shared in any manner. The 2007 edition of the survey is available here: <http://www.tcb.net/wisp07.pdf> Or on the Arbor web site (reg required): <http://www.arbornetworks.com/report> Thanks in advance for your participation! -danny

14 years, 7 months

This is what Linus Torvalds calls OpenBSD crowd ...

by Marco Fretz

... a bunch of masturbating monkeys Hi SwiNOGers, For all of you interested in OpenBSD (or Linux) have a look at this funny story i found at the openbsd-misc list. Its about bug / security fixing in Linux vs OpenBSD :-) http://article.gmane.org/gmane.linux.kernel/706950 and the spunky shirts / cups: http://www.cafepress.com/spankymm Read the full story here: http://www.mail-archive.com/misc@openbsd.org/msg64301.html Greets Marco

14 years, 8 months

Anthony Drozdek is out of the office

by Anthony Drozdek

I will be out of the office starting 18.07.2008 and will not return until 12.08.2008. I will reply to your message when I return. If you need immediate assistance please email Abdel Houdaf - abdel.houdaf(a)tele2.com

14 years, 8 months

Firewall recommendation for a rack of webservers?

by Olivier Mueller

Hello, Now that the office firewall is running fine (uptime: 34 days, not a single problem since last month, cf. the "VDSL/Zyxel P2802 HWL not "strong" enough for a small company LAN?" thread), I'm now back, looking for a new kind of firewall :) For a specific project with it's own rack @datacenter, I would need a device to "protect" about 10 web-servers: - deny everything, and then - allow web traffic (80/443) from everywhere -> servers - allow administrative (sftp/ssh) traffic from specific IP's - ability to detect http-based "attacks/ddos" (like bad configured spidering) : if there are too many http requests from specific hosts -> throttle/deny access for some time. I guess it's something which should be implemented on application level, but who knows... ? - bandwidth: average: 5Mbit/s, peaks: 10-15Mbit/s - stable, reasonable price... (max 1-3kChf?) - rackmount Under digitec.ch ( http://www.digitec.ch/ProdukteAuswahl2.aspx?knr=490 ) as a start there are 9 "Rackmount" FW's. But most of them are VPN-oriented, with IpSec-Tunnels, SSL-Tunnels, etc: mostly stuff which is expensive and that I really don't need. Is there anything you can recommend in this case? It if was only me, I would take something there: http://pfsense.org/index.php?option=com_content&task=view&id=44&Itemid=50 and start with that. But the customer would also like to see some "non open-source"-based solutions... :> Regards, Olivier

14 years, 8 months

netflow capable switches

by julien mabillard

Hi, this might be a naive question but still needs a good answer ;-) Are there ethernet switches else as cisco that can provide netflow traffic informations? Or do they use snmp for the same informations instead? thank you. --

14 years, 8 months

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

swinog July 2008