[Techtalk] DMZs, etc.

jhamilto at n2h2.com jhamilto at n2h2.com
Tue Dec 11 12:05:07 EST 2001 

Security is made up of more that just 'is your box broken into?'. In
fact, setting up a 'secure' system includes more factors that you may
realize. For instance, you should account for the fact that your servers
are not in a very 'secure' place, your office. You should definitely
look for another room, and jenny v mentioned, that can be locked at all
times. You should also account for environmental failures that can
threaten your computer equipment, like backup power plans in case of
electricity failure, or how you would recover the data in case of a
fire. Hopefully you have already set up a backup scheme for your file
server and any other important data, system configurations, and
installations. If you are really interested in setting up a secure site,
I recommend the book White-Hat Security Arsenal: Tackling the Threats,
which will open your eyes to threats and vulnerabilities that you've
never thought of before.

If you are only wanting to set up NFS for a CVS repository, I'd
recommend sharing code to CVS remotely from all users instead of using
NFS. Not only for security reasons, but also for CVS management. 

If you are willing to spend up to $500 on a fast, easy, and scalable
firewall (and router, NAT, DHCP server) there are some small-office
solutions. One example is Watchguard's SOHO firewall, can probably be
found on Ebay for a couple hundred. Retail price from the web site
(http://www.watchguard.com/products/soho.html) is about $400. I've used
this at home and it's really easy to set up. It offers a lot of firewall
features that you are looking for, and it would only take a couple of
hours to set up. 

 I don't know what kind of business you run, but scalability and ease of
use is sometimes worth the money to pay for a solution that comes 'out
of the box'. Remember to factor in time and resources as well as price
when deciding on a solution for a business environment. 

Jen


-----Original Message-----
From: Lemanski, Lahoma J. [mailto:LJLemanski at mail.ifas.ufl.edu]
Sent: Tuesday, December 11, 2001 5:42 AM
To: 'Michelle Murrain'; Techtalk (E-mail)
Subject: RE: [Techtalk] DMZs, etc.


I set up a hardware firewall last night that has all the functionality
you
could possibly hope for, it is a linux kernel based firewall, and uses
an
old box.
All you need is three nics (if you want to set up a DMZ server
farm),(for
the easiest setup, nics made by different manufacturers would be best),
16
megs of RAM, A cdrom drive, an old Hard drive (i used a WD 420 MB disk)
an
old video card and keyboard, and Monitor(monitor is only needed during
the
initial setup. If your old machine has issues with booting from the
cdrom,
you can make a boot disk from an image provided with the install disk.
It is
remotely configurable from a web browser, acts as a dhcp server,
cacheing
dns server, and can also setup dyndns for your webservers/ftp servers if
neccesary. You can download the iso from www.smoothwall.org. I highly
recommend it. They are currently working to produce a product that can
use
solidstate memory instead of a hard drive, and if you want to make a
donation to their paypal account it may help them with their
development. I
have tested the integrity of this product (with the help of a friend who
also runs a smoothwall) and even the most aggressive and sneaky scanning
tactics produced no results. Also, the web administration interface is
really beautiful, easy configuration, and really great help and
documentation is availabel.
Good Luck,
Lahoma 

-----Original Message-----
From: Michelle Murrain [mailto:tech at murrain.net]
Sent: Monday, December 10, 2001 3:39 PM
To: techtalk at linuxchix.org
Subject: Re: [Techtalk] DMZs, etc.


At 03:02 PM 12/10/2001, you wrote:
>Just a spot of theory here:
>
>The reason for putting servers in a DMZ and having a separate zone for
>internal boxes is that servers run extra software and have extra ports
>open. This makes them more vulnerable than workstations.
>
>NOT having a firewall between the servers and the workstations makes
the
>workstations (and the local traffic) almost as vulnerable as the
>servers. This is usually considered A Bad Thing - at least in
commercial
>situations.

OK, it sounds like it makes the most sense to set up the DMZ, and live
with 
the extra heat and cost. I just wish that someone would come up with
really 
cheap (<$500) linux-based network appliances that don't take much 
electricity, or generate much heat. Anyone heard of such a thing?

.Michelle

---------------------------------------
Michelle Murrain, Ph.D.
tech at murrain.net
AIM:pearlbear0
http://www.murrain.net/ for pgp public key


_______________________________________________
Techtalk mailing list
Techtalk at linuxchix.org
http://www.linuxchix.org/mailman/listinfo/techtalk

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.306 / Virus Database: 166 - Release Date: 12/4/2001
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.306 / Virus Database: 166 - Release Date: 12/4/2001
 
_______________________________________________
Techtalk mailing list
Techtalk at linuxchix.org
http://www.linuxchix.org/mailman/listinfo/techtalk

More information about the Techtalk mailing list