Mailinglist Archive: opensuse (2358 mails)
|< Previous||Next >|
Re: [SLE] Firewall
- From: samelash@xxxxxxxxxxxxx (Samy Elashmawy)
- Date: Wed, 13 Oct 1999 15:30:00 +0000
- Message-id: <188.8.131.52.19991013153000.01360e94@xxxxxxxxxxxxxxxxxx>
>For security reasons, I recommend setting up what is called a bastion host.
>This is a machine that does nothing except keep people out (firewall). It
>is also your router. Consider these two scenarios:
>1) You have a fileserver that is your router and firewall. A cracker
>compromises your firewall, which is also your fileserver. He now has
>access to all of your files, and since it probably speaks SMB, he can
>watch/crack into your Windows machines as well.
Ok , Got that , makes sence.
>2) You have a dedicated firewall & router. It is compromised. Now the
>cracker has to compromise your fileserver. Since the firewall does not
>speak SMB (ie, no samba), gaining access to the fileserver becomes more
>difficult. Meanwhile, the cracker set off an alarm and you are getting
>e-mail telling you something is wrong. This gives you time to disconnect
>from the Internet and restore security.
If he cracks the firewall , whats toi keep him from geting to/playing with
the server. SMB as we know is weak , and relies on the password. ie doesent
use the unix/linux style security. Cant get windoze 95/8 to disirn
read/write sericces , ect..
Most of the time you will have them writing any way, with the nature of the
apps , and storing the data on the server.
>Use the 486 as a dedicated firewall. The fewer services you have running,
>the less opportunity to be cracked. Hang out at rootshell, bugtraq, Risk
>Digest or CERT for a few days. I did, and have decided I will never
>admin anything made by Microsoft.
OK , got that. Makes sense to me.
>> I can use twisted pair betwwen the two
>> of them if I cross tha cable wires , Right.
My 100 mgbt hub does not suport 10 mgbt , hence the need to add a card to
the linux samba server , so that it will have two cards , with the 100 Mgbt
going to the hub , and the 10 mgbt going to the 486 firewall/ip masq machine.
This assumes that the file server can be set up to act as a hub/swithc
ect.. to allow the rest of the users on the hub to talk to the 486 , so
they can see it. It has o no pci bus , and I have yet to see a 100/10
twisted pair ethernet card that uses and isa bus and supports 100 mgbt
ethernet . Allbe it most likely wont operate at that speed any way due to
the isa bus.
ISP------ ----486/66 firewall/ip-masq-------------linus/samba server
<----one 10 mgbt to access firewall |
one 100 mgbt to access hub----> +----Client
>Above, you list four computers and a hub. The cross-over will only work
>if you have one computer hooked up to your firewall.
Only two nodes between the 486 and the server , hence the use of the
server has another card to handle the 100 mgbt hub and clients hung off the
>Then change your Windows networking to use static IP and specify your
>gateway. Suffer a reboot, and is should work (after the router is
>configured, of course).
allready using static ips , have three entrys in the host files for
?nameresolution? no big deal to add two more , one for the firewall, the
other for the second card on the samba server
Wats involved in seting up a gateway , or is it impractical , based on the
network diagram above.
>George Toft http://gtoft.dynip.com
>Hawaii Pacific University MSIS Graduate Student
>"Investigating the Effects of Organization Size, Industry, and
>Workgroup Size on Server Administration Costs and Downtime."
To unsubscribe send e-mail to suse-linux-e-unsubscribe@xxxxxxxx
For additional commands send e-mail to suse-linux-e-help@xxxxxxxx
Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
|< Previous||Next >|