[AG-TECH] Access Grid 3.0 beta1 available !
Ivan R. Judson
judson at mcs.anl.gov
Tue Jan 31 10:28:15 CST 2006
I think the interesting question from a user perspective is:
Would you rather open one port and we tunnel all traffic through it (and
you'll never know about all the types or kinds of traffic) or make it easy
to have one tunnel per type of data/connection that's easier to open/close
and audit based on actual use?
I *think* the future is in the latter, because you can easily see a
manageable system being built that allows programmatic (with authentication
obviously) access for dynamically opening and closing tunnels based on
specific "contracts" about usage, data, src/destination, duration, etc.
I can't see any good way to justify "opaque aggregate tunnels" that hide the
fact a break-in occurred in a mess of other data.
That's just my $0.02.
> -----Original Message-----
> From: owner-ag-tech at mcs.anl.gov [mailto:owner-ag-tech at mcs.anl.gov] On
> Behalf Of Frank Sweetser
> Sent: Tuesday, January 31, 2006 8:10 AM
> To: John Hodrien
> Cc: ag-tech
> Subject: Re: [AG-TECH] Access Grid 3.0 beta1 available !
> On Tue, Jan 31, 2006 at 01:49:50PM +0000, John Hodrien wrote:
> > On Tue, 31 Jan 2006, Frank Sweetser wrote:
> > >As an employed network nazi myself, I think I can answer that =)
> > ;) No offence to network nazis intended (I'm sometimes accused of being
> > myself).
> None taken =)
> > Realistically, how many attacks come over UDP?
> Quite a few. It may be a smaller percentage than TCP, but there's enough
> SMB attacks, DNS poisoning, etc that you certainly can't ignore it. Just
> at all of the (thankfully short-lived) fun that SQL slammer caused with a
> single UDP packet payload.
> This is probably drifting a little off topic, but if anyone is interested
> in really seeing what's going on Out There on the Internet at large,
> http://www.dshield.org/ and http://isc.sans.org/ provide great statistics
> and summaries from around the world.
> > I agree, although sometimes it can be hard to put any case together that
> > get results. We've had problems with collaborators (we thankfully have
> > flexible policies here) because they'd have endless firewall problems.
> Yup - it's always harder dealing with the remote sites, isn't it? As
> mentioned, we had no end of problems dealing with at least one remote
> because we were never really able to open a good channel of communication
> their infrastructure admins.
> Heck, it may be worth if for someone who's had good luck to throw together
> a whitepaper - "Top 10 Most Effective Arguments for Bribing or Convincing
> Network Nazis to Help Make AG Go" ;)
> Frank Sweetser fs at wpi.edu | For every problem, there is a solution
> WPI Network Engineer | is simple, elegant, and wrong. - HL
> GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC
More information about the ag-tech