[LUNI] Making a private network somewhat public.

Richard Reina richard at rushlogistics.com
Thu Dec 13 13:01:51 CST 2007 

Ramin,

Thank you very much for this very insightful reply.  I'm going to look into this.  I really appreciate the very insightful advice.

Thanks again, 

Richard

Ramin K <ramin-list at badapple.net> wrote: Let's all take a deep breath and stop telling security ghost stories.

What's the primary difference between a $20k firewall and a $50 one?

 Throughput. That's right, stateful packet inspection at 100mb/s speeds 
and up is CPU intensive and custom ASICs are expensive. Sure a fancy 
firewall can do protocol inspection and a few other things like stateful 
fail over between redundant devices, but at the basic level they are all 
implementing the same rules.

Allow packets from X to Y
Disallow packets from I to J

 I've dealt with a number of compromised boxes and about the only way 
they have been penetrated remotely is by the services running on them.

In summary don't expose services publicly.

 I've dealt with all the Cisco patches for snmp, ssh, telnet, etc over 
the past eight years or so. We patched, but were never vulnerable to the 
world at large because we filtered these protocols at the border.

In summary don't expose services publicly.

 My recommendation is to configure your Linksys to accept no connections 
from the Internet (likely the default) while turning off upnp, wireless, 
and other nonsense. Now allow one machine access to the Internet and 
install an MTA on it. I like Postfix, Sendmail would be fine, and do not 
use qmail.
 Allow the other machines in the office to send mail to the this machine 
and then allow it send mail out to the Internet. If you wanted you could 
buy the $150 Linksys and set the mail machine on a separate network and 
only allow SMTP connections to it from the rest of your machines. It's 
marginally safer, but overkill for an internal system that is never 
going to get any connections from outside your network.

 This setup keeps your system from accepting connections from outside, 
keeps random machines from accessing the Internet, and allows mails to 
be sent.

Ramin
-- 
Linux Users Of Northern Illinois - Technical Discussion 
http://luni.org/mailman/listinfo/luni



Your beliefs become your thoughts.  Your thoughts become your words.  Your words become your actions.  Your actions become your habits.  Your habits become your values.  Your values become your destiny.  -- Mahatma Gandhi

More information about the luni mailing list