[PLUG] network security thoughts/questions

Jeff Abrahamson on 5 Dec 2003 16:50:04 -0500

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] network security thoughts/questions

From: Jeff Abrahamson <jeff@purple.com>

To: PLUG <plug@lists.phillylinux.org>

Subject: [PLUG] network security thoughts/questions

Date: Fri, 5 Dec 2003 16:43:15 -0500

Mail-followup-to: PLUG <plug@lists.phillylinux.org>

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

User-agent: Mutt/1.5.4i

One of my Winter break projects is to improve security in my lab. I'm interested in your experienced thoughts lest I overlook something obvious. What I have now is a half dozen linux boxes (and a Windows box whose fate is unimportant to me). I have IP addresses for all of them. They are on the same subnet with the rest of the CS department. Scenario 1 (private LAN): make one box the gateway, put two ethernet interfaces on it, and put all other boxes on a private network (192.168.0.0) behind the gateway. Scenario 2 (public LAN): make on box a gateway, put two ethernet interfaces on it, and put all other boxes behind it, but still with their existing ip addresses. Scenario 3 (harden only): leave them as they are now, just harden the iptables rules on them to make sure they make sense. The only services we run that are needed from the outside are a lab web server, sshd, and sfs_server (an authenticated, encrypted NFS that I have not yet set up, but plan to as part of this project). In option 1, I'd either run sshd and sfs_server on the gateway or open tunnels for them to some inside machine. In options 2 and 3, I would run whatever services I need to on each machine. I will admit up front that I don't understand the pros and cons of scenario 2 very well. Comparing 1 and 3, the private LAN of 1 seems simpler and more secure, but may be more intrusive to operations and people's workflow. In addition, I wonder how long it will be before there's some problem with key authentication, either with SFS (in which host names and public keys must match) or with ssh (to scp past the gateway in one step, I would typically first ssh over it with "ssh -L8022:inside-machine:22 gw" and then "scp -P 8022 foo localhost:foo" to copy foo to inside-machine.) Three seems like it could be made almost as secure as 1, except that if someone opens an insecure port on a workstation, it will be seen in the outside world. Also, there's more to pay attention to. On the other hand, there's a lot of simplicity in running services. An additional advantage of the private LAN solution of (1) is that a compromise of the gateway doesn't risk internal data. Any advice? -- Jeff Jeff Abrahamson <http://www.purple.com/jeff/> GPG fingerprint: 1A1A BA95 D082 A558 A276 63C6 16BF 8C4C 0D1D AE4B
Attachment: pgp5U5eAT6oXS.pgp
Description: PGP signature

Follow-Ups:

Re: [PLUG] network security thoughts/questions
From: David Kaplowitz <mailinglists@kaplowitz.net>

Re: [PLUG] network security thoughts/questions
From: gabriel rosenkoetter <gr@eclipsed.net>

Re: [PLUG] network security thoughts/questions
From: Jeff Abrahamson <jeff@purple.com>

Prev by Date: [PLUG] missing files w/ apt-get

Next by Date: [PLUG] OPIE lightning-talk slides

Previous by thread: [PLUG] missing files w/ apt-get

Next by thread: Re: [PLUG] network security thoughts/questions

Index(es):

Date

Thread