No subject


Tue Nov 13 08:16:38 EST 2012


restricted to their DNS resolvers, 443 was wide open, and 80 was being
proxied.  Port 1194 seemed to be blocked on both TCP and UDP.

Has anyone tried SIT (6-in-4) tunneling?  Might be able to get full access
via IPv6 if that's allowed (but I'd be surprised).

[1] http://wiki.untangle.com/index.php/1:1_NAT



-- 
David Tomaschik
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com

--f46d04426e26b8e6bc04d3e6be8d
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">On Tue, Jan 22, 2013 at 11:39 AM, JD <span dir=3D"ltr">&lt=
;<a href=3D"mailto:jdp at algoloma.com" target=3D"_blank">jdp at algoloma.com</a>=
&gt;</span> wrote:<br><div class=3D"gmail_extra"><div class=3D"gmail_quote"=
><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border=
-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;=
padding-left:1ex">
<div class=3D"im">On 01/22/2013 01:38 PM, Ron Frazier (ALE) wrote:<br>
&gt; The TOS at most institutions forbid guest access to wired ports. =A0Bu=
t, we<br>
&gt; won&#39;t mention that. =A0I don&#39;t know about this specific instit=
ution.<br>
<br>
</div>Perhaps it would be easier to just bring a wifi router to plug into t=
he podium<br>
port from now on? =A0I have a tiny travel wifi router that I use at other m=
eetings<br>
which is perfect for this.<br>
<div class=3D"im"><br>
&gt; Un natted connections sound a bit disturbing. =A0I would think the who=
le<br>
&gt; institution would be running on a giant nat. =A0Even so, I think a Win=
dows<br>
&gt; machine should be OK as long as the OS firewall was running.<br>
<br>
</div>NAT is not a method of security. =A0It is the firewall and LACK of NA=
T forwarding<br>
to specific ports that matters.<br>
<br>
If you run iptables on your Linux machines (who has just 1?) with logging<b=
r>
enabled, you can see all the traffic that &quot;NAT routers&quot; allow in =
that you would<br>
never expect to see. Seriously - enable logging on iptables and watch all t=
he<br>
attempts from behind a NAT router. These are inbound packets, not responses=
.<br>
<br></blockquote><div><br></div><div style>While I certainly don&#39;t subs=
cribe to the &quot;NAT is security&quot; mindset, I also haven&#39;t seen m=
any (any?) general NAT implementations that forward a lot of spurious traff=
ic. =A0Granted, I run OpenWRT at home with full SPI enabled, but I actually=
 do a lot of things with wireshark on that network segment and the only &qu=
ot;surprising&quot; things I see is the shear volume of broadcast traffic f=
rom various devices (cell phones, windows machines, etc.). =A0Never seen an=
ything from the outside.</div>
<div style><br></div><div style>That being said, obviously things like 1:1 =
NAT [1] offer no security. =A0But with a &quot;typical&quot; 1:N NAT setup,=
 the NAT machine has to decide which machine of N the incoming packet goes =
to, so short of setting up a DMZ, most of those implementations drop anythi=
ng it doesn&#39;t have connection tracking for. =A0(Which is why special co=
nntrack modules are needed for things like passive-mode FTP, anything that =
opens ports backwards, etc.)</div>
<div><br></div><div>=A0</div><blockquote class=3D"gmail_quote" style=3D"mar=
gin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,2=
04);border-left-style:solid;padding-left:1ex">
MS-Windows is not safe on any network, IMHO. =A0It is simply too much of a =
target.<br>
Linux without good firewall settings is scary too.<br>
<div class=3D"im"><br>
&gt; Re VPN, I was running hotspotvpn on Windows the other night at the mee=
ting on<br>
&gt; the wireless. =A0I was using HTTP protocol as far as what the menu say=
s. =A0I<br>
&gt; assume it was using SSL on 443. =A0I think it runs OpenVPN under the c=
overs.<br>
&gt; It was working fine. =A0When I ran <a href=3D"http://speedtest.net" ta=
rget=3D"_blank">speedtest.net</a> to test it, it showed my data<br>
&gt; exiting the tunnel in California. =A0Not the most efficient, perhaps, =
but it<br>
&gt; worked. =A0They have a linux option, but I haven&#39;t gotten that wor=
king yet.<br>
<br>
</div>I was using an NX remote desktop (ssh tunnel over port 443) while on =
Emory&#39;s<br>
Guest wifi network too. That worked. =A0I tried to use an ssh tunnel over a=
 port<br>
in the 48K-55K range and it was blocked. =A0There didn&#39;t seem to be any=
 dropped<br>
connection the entire time.</blockquote><div><br></div><div style>From the =
last time I tested things at Emory, it seemed like 53 was restricted to the=
ir DNS resolvers, 443 was wide open, and 80 was being proxied. =A0Port 1194=
 seemed to be blocked on both TCP and UDP.</div>
<div style><br></div><div style>Has anyone tried SIT (6-in-4) tunneling? =
=A0Might be able to get full access via IPv6 if that&#39;s allowed (but I&#=
39;d be surprised).</div><div><br></div><div>[1]=A0<a href=3D"http://wiki.u=
ntangle.com/index.php/1:1_NAT">http://wiki.untangle.com/index.php/1:1_NAT</=
a>=A0</div>
</div><br><br clear=3D"all"><div><br></div>-- <br>David Tomaschik<br>OpenPG=
P: 0x5DEA789B<br><a href=3D"http://systemoverlord.com" target=3D"_blank">ht=
tp://systemoverlord.com</a><br><a href=3D"mailto:david at systemoverlord.com" =
target=3D"_blank">david at systemoverlord.com</a>
</div></div>

--f46d04426e26b8e6bc04d3e6be8d--


More information about the Ale mailing list