Nmap questions concering my router

This all boils down to physical security, and all of us know about that. No matter what operating system - no matter of DHCP verses static - without physical controls and physical security, your systems are at huge risk. And did I mention it depends upon physical security?

Two things - we don't allow visiting computers to connect to our net. This includes vendors, employees, and family. There are big signs warning that un-authorized computers are subject to confiscation. If we discover an un-authorized computer, the contents get inspected. If we find something malicious, we let security handle things - messy. If it's obviously innocent, we'll return it when the owner is evicted. Otherwise it gets a free disk wipe. "New" computers as well as existing ones returning on-site (from shows, and the like) also get the wipe and install before connecting to our network.

For those vendors who bring in computers for a presentation, we have a special sandbox - no connection to us, and a limited connection to the world.

Right out of RFC2131. Note the second paragraph.

1. Security Considerations

DHCP is built directly on UDP and IP which are as yet inherently insecure. Furthermore, DHCP is generally intended to make maintenance of remote and/or diskless hosts easier. While perhaps not impossible, configuring such hosts with passwords or keys may be difficult and inconvenient. Therefore, DHCP in its current form is quite insecure.

Unauthorized DHCP servers may be easily set up. Such servers can then send false and potentially disruptive information to clients such as incorrect or duplicate IP addresses, incorrect routing information (including spoof routers, etc.), incorrect domain nameserver addresses (such as spoof nameservers), and so on. Clearly, once this seed information is in place, an attacker can further compromise affected systems.

Malicious DHCP clients could masquerade as legitimate clients and retrieve information intended for those legitimate clients. Where dynamic allocation of resources is used, a malicious client could claim all resources for itself, thereby denying resources to legitimate clients.

I'm not at all surprised that it quit serving. Long ago, we had a user who wanted her "new computer" (a Mac IIci running OS 7.0), and it had been dropped off in an unconfigured state. So _she_ configured it. You know she got it wrong, and fumble-fingered the host IP address, setting it to the IP of an old Sun IPX (SunOS 4.1.3) that was the local NIS and DNS secondary. The Sun heard someone else answering ARP requests, and went into the corner and started to cry. Meanwhile, the entire building is now screwed. The router noted the change, and a security program flagged the change, sending mail to IT and Security. Only took about 20 minutes to find the Mac, and shut it down, but the Sun refused to talk. A networking restart brought it back up, but several other applications were wedged. We restarted ('telinit' rather than 'shutdown

-r now') as the fastest way back up, though I'm sure if we had the time, we could have gotten it up without the restart. The "user" got a written warning notice, and the intern who had delivered the computer got a lecture, as did the guy who was doing Mac support. "Procedural changes were made" is a polite way of saying there was he11 to pay.

Old guy

Thanks for the addresses, ill check them out.

Yes and also there must be some kind of a NAT table that holds the outgoing information on a database(or something similar) when we request something(a web page for example.

It must hold the destination ip of a packet and the dest port as well and the source ip and saource port so to be able to know and identify a possible reply from the remote side. Otherwise the router it cannot know if the inbound information that is receiving is a response to a previous request made of an internal host of the lan that needs forwarding back to thats host or just a remote side trying to initiate a new connection with our router.

Sorry but i still dont follow.

ok about the 2nd part, i agree and understand it, but iam having trouble understand about the 1st part( i mean multiple nincs on the same pc and in the same network.

I cant understand this!! How can the computer listen to 10.0.0.1,

10.0.0.2 and 10.0.0.3 by the same interface. these 3 ip addresses are assigned to 3 different nics!

Still a mystery to me :-)

ok, i wont press my mind further into this :-)

Aha! Thats why when iam firing firefox and tell it to connect to http://www/nikolas.tk it refuses to conenct saying "Request timed out". I can only view my webpage when iam" http://dell or

or http://127.0.0.1 not with Btw what the expression "Push this up the stack" means?

So what happens when the packet reaches 10.0.0.138 and gets inspected seeing that its final dest is 83.151.221.52? it gets dropped/rejected?

Also what do you mean by saying "(which would go on the loopback anyways)" ? Only eth* are sent though the loopback interface, no?

Thank a lot Moe!

OK, btw what is a "Non-Disclosure-Agreement" ? Dont shoot me please for my irrelevance:-)

Cool! IT manager must be something more general, something about coordination of the whole business right?

Great! 2 bills now! current bill++; :-)

This is always a sore spot with me personally:

CIO/Manager - doesn't mean they know crap about security, subnetting, etc... What it means is they know which of their people are best for which task/project/problem.

Administrator - the front line guy that is responsible for maintaining the network and may have grunts working for him too. Admin's curse CIO's and Managers for asking them to configure things in non-standard ways :)

Architect - the chap that designs the network, subnets, etc... The one that the Administrator curses from time to time since they didn't see the full business need (because the CIO didn't give it to them)...

Security/Firewall Admin - the chap that gets blamed when something gets into the company :)

Each of these roles have specific areas of coverage and may overlap each other in many places, but, being one does not mean you can be the other.

In article , Leythos wrote: :Security/Firewall Admin - the chap that gets blamed when something gets :into the company :)

And also the chap that gets blamed when something does not get into (or out of) the company and someone thinks it ought to. The mean guy that prevents people from doing things; the busy-body net-cop.

I hope, you have no Windows boxes in there.

Yours, VB.

There is a NAT table in RAM of every machine, wich implements that.

They may assigned to different NICs, sometimes they're assigned to one NIC, all of them.

With many operating systems (i.e. with Linux) it's possible to have more than one single IP adress assigned to one NIC.

For example, one can use this for virtual hosts technics.

No. The loopback interface has the address 127.0.0.1. It's a virtual interface, sometimes called lo.

Yours, VB.

Well no hard feelings i hope, i just wanted to know the difference and didnt have a clear picture :-)

So i take it you are a CIO also known as an IT manager?

X? Sure, most of our workstations run X. As for microsoft, we haven't had any windoze crap since 3.1 (not 3.11), and it was relatively secure as it was in the 'out-of-box' networking configuration. I think it was running DOS 5.

Old guy

Yes, but this is dynamic data. Remember that the source port number on your computer will be a random number above 1024. If you grab a page off some web server, the entire page (but not including embedded URLs that may have to be fetched) is downloaded as one connection. If you decide to pull up another page, that is a new connection, and your computer will use a different source port. When each connection is closed, the router forgets about it as it's no longer a connection.

If you press keys on your keyboard, the letters end up in some application on your display. How did they get there? Is the keyboard directly attached to that application? Move the mouse to another application, and type some more. The letters no longer go to the first application, they go to the second. How did they change destination - the keyboard is now apparently connected to the second application. Perhaps the keyboard is connected to your window manager? (Don't forget, I'm running X here, and not microsoft windoze.) Now press and hold the left Ctrl and Alt keys, and press the F2 key - hmmm, a new (text based) login prompt. This isn't using the window manager, as typing your username and password gets you into the computer as another session. How is the keyboard attached to the first application, then the second, and now this text session? (Press the left Alt key and the F7 key, and that should return you to the X desktop.)

So, the keyboard isn't attached to the desktop, but is connected to the computer. How do the keystrokes get to the application you have selected as opposed to some random place on the screen? The answer is that the keyboard is connected to a tiny program running on the O/S, and that program makes a network connection to the applications. In X (and windoze), the mouse cursor position tells the O/S which application is to receive the keystrokes. Thus, when you move your mouse to another application, the O/S changes the destination of the keystrokes, and your application doesn't have to know about all of the other things that are going on.

Yes, but those are IP addresses - and the NIC doesn't know about those. It knows MAC addresses. Now how does the "remote" system on your LAN (your router) know which interface to send the packet to? It only knows IP addresses. So, it uses the ARP protocol to find the MAC address, and your computer answers "I am 10.0.0.1". But which interface answers? With most O/S and without extra software, only one interface talks - EVEN IF IT HAS THE "CORRECT" IP ADDRESS OF ANOTHER INTERFACE. Why? The O/S looks at the _routing table_ to see which interface to use - it doesn't look at the /sbin/ifconfig output. The routing table shows three entries to the same network - which one to use? Do you pick one at random? Do you try to figure out which interface matches your source address? Or do you just pick one (depending on the O/S, the first or last one configured) and use that. You would like choice two (appropriate interface), but that takes extra CPU cycles to determine, and very few people ever run more than one NIC on a computer on the same network - so few people even need the code to determine this. This goes back to the origins of networking, when one network meant a single coax (or the equivalent), and only one NIC could "talk" at one time. Thus, there was no benefit to have more than one NIC on the same computer connected to the same wire because you could only use one at a time anyway.

If we speak 'drivers' in the microsoft form, think that the application sends packets to the correct protocol driver (TCP, UDP, ICMP, and so on) and that driver sends the packets to the IP driver, which sends the packets to the NIC driver, which actually causes the hardware to put the bits on the wire. Coming back, the NIC driver converts the bits on the wire to an IP packet, and hands this to the IP driver which strips off the IP headers and hands the packet to the protocol driver, which strips off the TCP header and figures out which application gets this packet.

No, my name is "10.0.0.138" AND "83.151.221.52" (and "127.0.0.1"), and this packet is for me. Here "IP Driver", take care of this. (OK, this is a TCP packet - here you are TCP Driver - take care of this.) (Hmmm, this packet is for the web server - hey, Apache - I've got something for you.)

If you are 10.0.0.138, and you have a packet for 83.151.221.52, who do you send this to? We already decided, this is "me", so I must be trying to talk to myself - send it via the loopback. In the case above (packet received from the 10.0.0.0/24 network on 10.0.0.138 and destined for 83.151.221.52), we wouldn't even waste CPU cycles sending it to the loopback, because the IP Driver recognized this packet is for "me".

Old guy

This is an agreement that prohibits me from discussing anything about my company or specific job. Personally, I don't care, but some companies get very excited if you say ANYTHING - you must be giving away the company secrets or something!!! This is also why I'm posting using this name from my home IP connection (even though I'm at work at the moment).

The IT Manager is my boss. He has other people like me who are the System Administrator, the Security Administrator, Sun Support, PC Support, Printer Support... each of us doing a different area of keeping the users happy. We all know something (little to lots) about the other jobs, but this way, I don't have to worry about kicking the printers, or doing something (other than perhaps turning it off) when the Magic Smoke(tm) escapes from some computer. ;-) By the same token, the others don't have to know how the network cables go here or there, or what IP address will be assigned the new server in the Purple Room (named from the carpet color - for some reason, each server room has a different colored carpet on the floor panels).

Old guy