Mailinglist Archive: opensuse-security (409 mails)

< Previous Next >
Fileserver access from public networks?
  • From: Lars O.Grobe <grobe@xxxxxxx>
  • Date: Sat, 17 Aug 2002 13:38:03 +0200
  • Message-id: <20020817113153.9E693146A6@xxxxxxxxxxxxxx>

I have some questions how to understand the usual security advices regarding
file services and public networks.

The usual scenario is a lan, with the internal servers (e.g. the file
server), secured by firewall solutions, a dmz, with external servers like www
or ftp, also secured with a firewall.

Everybody tells you: isolate the fileserver from public networks, don't use
smb or appleshare across the internet. Ok.

But we have the following scenario: we are at university here, students want
to acces data from the internet. So there must be some kind of internet
access to the file server. Here are my questions:

- Why do people run ftp servers to share files, but tell me that cifs(smb)
and appleshare are "insecure" on public networks. Both encrypt passwords...
and data is not encrypted in ftp, too (?). I is much simpler for users to use
the same protocol (smb/applehare) in university networks and at home (and ftp
doesn't keep type and creator information important for the mac-clients).

- I don't want to have one external server and one internal. I'm almost sure
that just the file I need when connecting from the outside will always be on
the internal server than ;-), and how to explain our users that they have one
account, but are to store data ont wo file servers... Is it the only solution
to have one internal and one external file server, not connected?

- If I really install a second external file server, what about linking it
into the internal one? So I could create a subdir "internet_box" in users'
home dir's, pointing to their nfs-mounted directories on the external server.
So they could decide to make their files internet-accessable or not (some
will have all their data on the external server, while seeing only one file
server, while others who only work from university network won't use this
directory at all). What about this scenario?

How do you implement such installations? We are going to expand our students'
computer lab soon, and I want to have a clear structure of servers and
networks before.

Thank You, CU, Lars.

< Previous Next >
Follow Ups