So far I’ve only used a pilot of Symantec’s (formerly Vontu) DLP product for my employer.  I had a blast testing it out on the network especially because of its flesh tone filter (if flesh_tone_filter then email me pr0n).  It’s a shame we may not see flesh tone filtering in opendlp any time soon; isn’t knowing where the pr0n is more important than the company’s lifeblood, intellectual property?

*You need to advance to 5:00minutes into the podcast for this segment (unless you want to listen about Cuban bloggers)

Related: Using airodump-ng to capture the authentication handshake.

Most brute forcing today usually comes from Asia or Eastern Europe — blocking continents (if you can get away with it) is great practice.  Below are some links where you can copy & paste problematic IP ranges into your .htaccess or hosts.deny file….

Apache .htaccess block format

Country IP Blocks – choose a country and select the output in many formats (CIDR, hosts.deny, etc)

Two problems:

1) No one is taking the time to properly configure / tune the IDS for the environment it’s placed in —> meaning thousands of events with many false positives.

2) The IDS events being generated are not monitored —> the average breach to compromise time is down to minutes in some cases meaning you don’t have time to wait.

The next generation Snort intends to solve both of the problems above.  Their calling their new version “Adaptive IPS” which features their real time network awareness (RNA) technology.  This RNA module constantly surveys your network taking inventory of OSes, services, protocols, and potential vulnerabilities that exist.  The RNA module then pushes configuration changes to Snort — auto tuning the IDS for your network!  I haven’t tried RNA myself but Roesch claimed several customers seeing a 90+% reduction in the number of IDS generated events.  With this dramatic reduction in events to monitor it should mean no excuses to not monitor your network.

Now, if Sourcefire can create a module that will monitor and act on events we won’t need NoCs anymore….

The article talks about methods to circumvent all of the above scenarios.  I actually do the most vanilla technique to overcome my employer’s web filter: dynamic ssh tunneling back to a server I have running at home.

Read it here:  http://blog.sebastien.raveau.name/2009/06/internet-by-all-means.html

I tweaked the TX Power using DD.  Be warned you can overheat your router if you try to crank this up too high.  The biggest signal boost I was raising my access point 2′.  Try to keep your AP elevated as much as possible.  See my image below….

I’m asking for your thoughts and feedback to solve this problem.  Right now I’ve come up with the following solutions:

• Connect a hub to the router’s WAN port.  Connect my cable modem and linux machine to the hub.
• Install DD-WRT on the Linksys router.  Does DD-WRT yet support span / tap (monitor) ports?
• Install two (2) NICs on the linux machine and route my cable modem through that before connecting to the router.
• Buy an affordable Cisco 2600 router off of eBay.

Please share your ideas and thoughts on the subject.