Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Network failure detection on linux boxes

from [Luis Lopez Sanchez] Network Security [Permanent Link]
Subject: RE: Network failure detection on linux boxes
Date: Wed, 11 Jan 2006 10:04:48 +0100 
Hi Piltrafilla,
 
Avoiding BGP4 dicussion (I suppose that you don't use BGP4 for
economical reasons, this is the ad hoc solution). You can re-definig
your customer's network architecture using HSRP
www.cisco.com/univercd/cc/td/doc/cisintwk/ics/cs009.htm on routers or
VRRP in your custumers' linux boxes:
 
http://off.net/~jme/vrrpd/
 
In particular Linux discussion about VRRP:
 
http://tips.linux.com/article.pl?sid=05/05/10/1436254&from=rss
 
This solutions are usual solutions for outgoing connections in HA.
 
This possible workarrounds could be useful for outgoing from your
customer's infrastructure to other networks, to incoming requests you
can use (instead to use BGP4) load balancers commercial that change DNS
A registers according to network availability (such us F5's DNS-3
http://www.f5.com/products/bigip/gtm/ ) or using round robin / load
balancing tricks in BIND to publish DNS registers, if you want two DNS
servers connected to each routed network and it are accesibles from the
Internet.
 
Have luck!
 
Regards,
 
--
Luis Lopez
InfoSec / IT-IS
Atos Origin
Albarracin 25 Madrid 28037
Spain
Phone: +34912148329
luis.lopez@atosorigin.com
http://www.atosorigin.com
 
pub  1024D/8A688104 1999/07/28 Luis Lopez <luis.lopez@atosorigin.com>
Key fingerprint = 550F 3545 C847 F61E 821C 3D8C 1A12 2C19  8A68 8104 
 
 
 
 


  _____  

From: Piltrafilla [mailto:piltrafilla@gmail.com] 
Sent: martes, 10 de enero de 2006 12:05
To: firewalls@securityfocus.com
Subject: Network failure detection on linux boxes


Hello,

A customer of mine has a two linux-based PCs acting as firewalls for
perimeter protection. Those boxes are linked to two different routers of
two different ISPs with different public address ranges.

Internal address range is RFC1918-based and firewalls is the place where
NAT is done to public address range depending on which outbound link is
chosen (routing decision). Basically default route is placed to first
ISP and some particular websites are statically routed through the
second ISP.

It is not possible to perform any kind of dynamic routing with any of
those ISPs, is there any kind of daemon of script that could run on the
fw boxes so that I could ping or access some hosts or websites on the
Internet through the first ISP and in case they are not accessible (any
kind of network failure, not only link fail on the WAN side of the ISP
router but also some backbone link of ISP) then it could just change the
default route in the boxes to go through the second ISP. NAT would be
outbound-performed on interfaces to each ISP router.

Thanks a lot in advance,

-- piltrafilla


------------------------------------------------------------------
This e-mail and the documents attached are confidential and intended solely
for the addressee; it may also be privileged. If you receive this e-mail
in error, please notify the sender immediately and destroy it.
As its integrity cannot be secured on the Internet, the Atos Origin group
liability cannot be triggered for the message content. Although the
sender endeavours to maintain a computer virus-free network, the sender does
not warrant that this transmission is virus-free and will not be liable for
any damages resulting from any virus transmitted.

Este mensaje y los ficheros adjuntos pueden contener informacion
confidencial destinada solamente a la(s) persona(s) mencionadas
anteriormente. Pueden estar protegidos por secreto profesional Si usted
recibe este correo electronico por error, gracias de informar inmediatamente
al remitente y destruir el mensaje.
Al no estar asegurada la integridad de este mensaje sobre la red, Atos
Origin no se hace responsable por su contenido. Su contenido no constituye
ningun compromiso para el grupo Atos Origin, salvo ratificacion escrita por
ambas partes.
Aunque se esfuerza al maximo por mantener su red libre de virus, el emisor
no puede garantizar nada al respecto y no sera responsable de cualesquiera
danos que puedan resultar de una transmision de virus
------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  PIX replying with wrong SRC MAC?, astalavista . box . sk
Next by Date:  RE: PIX replying with wrong SRC MAC?, Andrew Shore
Previous by Thread:  Re: Network failure detection on linux boxes, Michael A. Price
Next by Thread:  PIX replying with wrong SRC MAC?, astalavista . box . sk
Indexes:  [Date] [Thread] [Top] [All Lists]