[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ale] One NIC, two IP addresses on different VLANs?
Actually Target and Home Depot started when an outside contractor had
their credentials stolen. The credentials allowed access to certain
things (in Target's case, HVAC systems maintained by their contractor).
The customer data systems were sitting on the same wire as the HVAC
system. On top of that, the systems had unrestricted access outbound to
the Internet at large and in many cases used default passwords.
On 2014-11-19 13:22, Jim Kinney wrote:
> Yeah, but all of those were compromised from inside the LAN by a hijacked
> process introduced by a bad code update with trojaned patches. The theft
> occurred when security processes allowed connections to unvetted locations
> from within the LAN by supposedly secure machines.
>
> But a local, verified update repo is always a good thing.
> On Nov 19, 2014 3:21 PM, "Alex Carver" <agcarver+ale at acarver.net> wrote:
>
>> Let me write just a few words on why your customer data machine
>> shouldn't see the Internet directly:
>>
>> Target, Home Depot, Michaels, Staples, US Postal Service, ...
>>
>>
>>
>> On 2014-11-19 12:02, Raj Wurttemberg wrote:
>>> Yeah, I have actually started that process. Seems the most secure.
>>>
>>> Kind regards,
>>> /Raj
>>>
>>>
>>>> -----Original Message-----
>>>> From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of
>> Alex
>>>> Carver
>>>> Sent: Wednesday, November 19, 2014 2:47 PM
>>>> To: ale at ale.org
>>>> Subject: Re: [ale] One NIC, two IP addresses on different VLANs?
>>>>
>>>> Sounds like the better idea is to keep the Internet away from your
>> system
>>>> hosting customer data NFS and set up a completely independent machine
>>>> that acts as a local mirror of the Ubuntu repositories. Let that
>> machine
>>> have
>>>> two NICs one for each VLAN, put lots of firewall rules in place to make
>>> sure it
>>>> can only contact the external repositories and reject incoming
>> connections
>>>> then a few cron jobs to keep it synced every day.
>>>
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>>>
>>>
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
- References:
- [ale] One NIC, two IP addresses on different VLANs?
- From: rajaw at c64.us (Raj Wurttemberg)
- [ale] One NIC, two IP addresses on different VLANs?
- From: terrorpup at gmail.com (Chuck Payne)
- [ale] One NIC, two IP addresses on different VLANs?
- From: lnxgnome at hopnet.net (LnxGnome)
- [ale] One NIC, two IP addresses on different VLANs?
- From: rajaw at c64.us (Raj Wurttemberg)
- [ale] One NIC, two IP addresses on different VLANs?
- From: terrorpup at gmail.com (Chuck Payne)
- [ale] One NIC, two IP addresses on different VLANs?
- From: bugyatl at gmail.com (Boris Borisov)
- [ale] One NIC, two IP addresses on different VLANs?
- From: rajaw at c64.us (Raj Wurttemberg)
- [ale] One NIC, two IP addresses on different VLANs?
- From: agcarver+ale at acarver.net (Alex Carver)
- [ale] One NIC, two IP addresses on different VLANs?
- From: rajaw at c64.us (Raj Wurttemberg)
- [ale] One NIC, two IP addresses on different VLANs?
- From: agcarver+ale at acarver.net (Alex Carver)
- [ale] One NIC, two IP addresses on different VLANs?
- From: jim.kinney at gmail.com (Jim Kinney)