[ale] One NIC, two IP addresses on different VLANs?

Alex Carver agcarver+ale at acarver.net
Wed Nov 19 16:43:09 EST 2014


Actually Target and Home Depot started when an outside contractor had
their credentials stolen.  The credentials allowed access to certain
things (in Target's case, HVAC systems maintained by their contractor).
 The customer data systems were sitting on the same wire as the HVAC
system.  On top of that, the systems had unrestricted access outbound to
the Internet at large and in many cases used default passwords.


On 2014-11-19 13:22, Jim Kinney wrote:
> Yeah, but all of those were compromised from inside the LAN by a hijacked
> process introduced by a bad code update with trojaned patches. The theft
> occurred when security processes allowed connections to unvetted  locations
> from within the LAN by supposedly secure machines.
> 
> But a local, verified update repo is always a good thing.
> On Nov 19, 2014 3:21 PM, "Alex Carver" <agcarver+ale at acarver.net> wrote:
> 
>> Let me write just a few words on why your customer data machine
>> shouldn't see the Internet directly:
>>
>> Target, Home Depot, Michaels, Staples, US Postal Service, ...
>>
>>
>>
>> On 2014-11-19 12:02, Raj Wurttemberg wrote:
>>> Yeah, I have actually started that process. Seems the most secure.
>>>
>>> Kind regards,
>>> /Raj
>>>
>>>
>>>> -----Original Message-----
>>>> From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of
>> Alex
>>>> Carver
>>>> Sent: Wednesday, November 19, 2014 2:47 PM
>>>> To: ale at ale.org
>>>> Subject: Re: [ale] One NIC, two IP addresses on different VLANs?
>>>>
>>>> Sounds like the better idea is to keep the Internet away from your
>> system
>>>> hosting customer data NFS and set up a completely independent machine
>>>> that acts as a local mirror of the Ubuntu repositories.  Let that
>> machine
>>> have
>>>> two NICs one for each VLAN, put lots of firewall rules in place to make
>>> sure it
>>>> can only contact the external repositories and reject incoming
>> connections
>>>> then a few cron jobs to keep it synced every day.
>>>
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>>>
>>>
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
> 
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
> 



More information about the Ale mailing list