Mailinglist Archive: opensuse (2358 mails)

[samelash@xxxxxxxxxxxxx (Samy Elashmawy)]

>For security reasons, I recommend setting up what is called a bastion host.
>This is a machine that does nothing except keep people out (firewall).  It
>is also your router.  Consider these two scenarios:
>
>1)  You have a fileserver that is your router and firewall.  A cracker
>compromises your firewall, which is also your fileserver.  He now has
>access to all of your files, and since it probably speaks SMB, he can
>watch/crack into your Windows machines as well.

Ok , Got that , makes sence.

>2)  You have a dedicated firewall & router.  It is compromised.  Now the
>cracker has to compromise your fileserver.  Since the firewall does not
>speak SMB (ie, no samba), gaining access to the fileserver becomes more
>difficult.  Meanwhile, the cracker set off an alarm and you are getting 
>e-mail telling you something is wrong.  This gives you time to disconnect
>from the Internet and restore security.

If he cracks the firewall , whats toi keep him from geting to/playing with
the server. SMB as we know is weak , and relies on the password. ie doesent
use the unix/linux style security. Cant get windoze 95/8 to disirn
read/write sericces , ect..

Most of the time you will have them writing any way, with the nature of the
apps , and storing the data on the server.

>
>Use the 486 as a dedicated firewall.  The fewer services you have running,
>the less opportunity to be cracked.  Hang out at rootshell, bugtraq, Risk
>Digest or CERT for a few days.  I did, and have decided I will never
>admin anything made by Microsoft.

OK , got that. Makes sense to me.

>> I can use twisted pair betwwen the two
>> of them if I cross tha cable wires , Right.

My 100 mgbt hub does not suport 10 mgbt , hence the need to add a card to
the linux samba server , so that it will have two cards , with the 100 Mgbt
going to the hub , and the 10 mgbt going to the 486 firewall/ip masq machine.

This assumes that the file server can be set up to act as a hub/swithc
ect.. to allow the rest of the users on the hub to talk to the 486 , so
they can see it. It has o no pci bus , and I have yet to see a 100/10
twisted pair ethernet card that uses and isa bus  and supports 100 mgbt
ethernet . Allbe it most likely wont operate at that speed any way due to
the isa bus.

 
                                                                                                   +---Client
                                                                                                          |
ISP------ ----486/66 firewall/ip-masq-------------linus/samba server
----------hub----|---Client
                                                <----one 10 mgbt to access firewall           |
                                                     one 100 mgbt to access hub---->          +----Client	

>Above, you list four computers and a hub.  The cross-over will only work
>if you have one computer hooked up to your firewall.

Only two nodes between the 486 and the server , hence the use of the
crossover.
server has another card to handle the 100 mgbt hub and clients hung off the
hub
>
>Then change your Windows networking to use static IP and specify your
>gateway.  Suffer a reboot, and is should work (after the router is
>configured, of course).

allready using static ips , have three entrys in the host files for
?nameresolution? no big deal to add two more , one for the firewall, the
other for the second card on the samba server

Wats involved in seting up a gateway , or is it impractical , based on the
network diagram above.

>-- 
>George Toft                           http://gtoft.dynip.com
>Hawaii Pacific University              MSIS Graduate Student
>"Investigating the Effects of Organization Size, Industry, and
>Workgroup Size on Server Administration Costs and Downtime."
>


-- 
To unsubscribe send e-mail to suse-linux-e-unsubscribe@xxxxxxxx
For additional commands send e-mail to suse-linux-e-help@xxxxxxxx             
Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/