Hi, actually the routing PC runs NetBSD, there is no telnet, ftp, compilers etc., the system is in a state, where the disk is kind of write protected, only to special files (like logfiles) data can be added, existing data can not be modyfied or erased. The system can only be changed to single user mode by rebooting form the console (or tty) and only in single user mode the write protection is deactivated. The routing PC performs IPfiltering too. This router PC is in one subnet with the server, that runs SuSE 6.3 that performs IPfiltering and NAT, all the workstations are in a second subnet. I think it will be really hard to break into the router, and even when it is done, it should be not possible to get any tools to break inte the server! By using two different systems, a possible intruder had to know both. The thing I am concerned about is the mentioned possibility to follow a route to the workstation, as these are currently Win98 PCs and I do not think it even was possible to get them secure. thanks mike On 9 Jun 2000, at 13:49, Florian Gnägi wrote:
Hi
It is certainly true that your workstation is not accessible from the outside easily. However, everytime you open a connection with HTTP, FTP or whatever your gateway opens a port which will open a route to your inner workstation. I'm not an expert in this, but I guess with a little luck, a nasty tool and a unsecure workstation one *could* get on the workstation without cracking the gateway in the first place.
Althouth this seems really paranoid you can read in every security paper to better use proxies on your gateway than network address translation. Then you have to crack the gateway befor possibly getting in the inner network.
If someone cracked your gateway he has only the tools available on the machine. You can prohib users from using / in commands (so they can't download a tool and use it since they just can't lauch it with ./mytool.sh). There is a kernel patch which can make your system really secure with read only logfiles and alike (the can only be written by the kernel itself), however for maintanance you have to reboot in a less secure kernel since even root can't do anything with this patch.
I think for most cases it is enough secure to have no compiler installed, no user accounts, every damn port closed which is not necessary used, bann every clear text protocol (telnet, ftp) and rsync your logfiles from an inner machine every once in a while (and read them ;-)
Maybe a real expert can confirm or deny the first paragraph?
enjoy the weekend -florian
On Fri, 9 Jun 2000 Thomas Michael Wanka yelled into the voidness of cybercpace:
On 9 Jun 2000, at 11:28, Julien Calvet wrote:
yes you can ... You must use IP-route2 package to make NAT.
Hi,
to me it sounded like Julien wanted to know if *sombody* (not allowed to) can connect to the private lan through his router. And that AFAIK is not possible without getting access to the router.
This leads me to a question I wanted to post for quiet a while:
I have a PC connected to the internet and my server doing NAT to allow access from my lan to the internet. My lan, like Juliens, uses private addresses 192.168.xxx.xxx. As sayd above, AFAIK it is not possible for someone to access my lan as the private addresses are not routed in the internet. So someone needed to compromise my router, log in (with e.g. telnet) and than has access to my lan. If that happened, all he has to access my lan with, are the programms installed on the router. Is that right?
thanks
mike
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com