[lug] TSIG overflow
charles at lunarmedia.net
charles at lunarmedia.net
Thu Mar 1 04:56:14 MST 2001
On Wed, 28 Feb 2001, Sean Reifschneider wrote:
> If they aren't capable of securing their Linux machine even to the
> point of using a respectable password, you'd better start offering
> them services to make sure that they *ARE* covered if you don't want
> them to leave. For example, our hosting includes the option of us
> doing security upgrades at no cost -- all of our clients have taken
> advantage of that.
> Are they using telnet to access the machine? The easiest thing to do
> is show them that when they do that, it's fairly trivial to watch the
> traffic. You *ARE* running a switched network to help cut down on
> such sniffing as well, aren't you?
i would rather not turn this thread into a basics of colocation
discussion. suffice it to say that we do indeed offer our
staff to customers as a resource for configuring and securing
their hosts. we offer each client their own broadcast domain as
well as each individual machine its own collision domain. we
offer a selection of acls to be applied to the group's default
gateway interface, the minimum of which blocks rfc1918 space and
spoofed packets in and outbound. we allow the customers to
subscribe to a newsletter the company puts out listing the newest
exploits, the patches to fix them and where they can be found to
download. in the end however, it is ultimately the choice of the
customer on how to handle their individual configurations.
the integrity of my company is the last thing that should be
questioned. it is very easy to write off a difficult client as
not worth the effort or too troublesome to deal with. our
philosophy is that as long as they have put their faith and
money into our network, its not an unreasonable request to see
exactly what happened when a machine is compromised and to give
them more than just text as resolve that it can be prevented
from occurring again.
with all due respect, i would prefer to stay with my initial
question rather than stray into company policy. i understand the
skepticism of anyone being asked 'where can i find this exploit?'
and knew the risk of heat i would recieve for doing so.
but i would prefer to hear no response than one that addresses
the company's approach to clientele. moreoever, if the
conversation is inappropriate for the list, i'd encourage the
moderator to please advise me. i'm not trying to rock the boat
or to start ill feelings between list members. i'm just trying
to find a resolution for my task at hand.
More information about the LUG