[KLUG Members] (no subject)

Bryan J. Smith members@kalamazoolinux.org
25 Jan 2002 08:50:34 -0500

Previous message: [KLUG Members] (no subject)
Next message: [KLUG Members] Need latest AbiWord, Evolution for SC-INC Desktop Rollout
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2002-01-25 at 07:56, Scott Van Singel wrote:
> www server port 80 - Nat 208.149.174.59 port 80 to 101.1.23 port 80

This is an internal server?  If you are sharing out information to the
Internet, I highly recommend you put that server in a separate DMZ. 
This could be as simple as adding a NIC to the firewall and moving that
system to the hub/switch connected to that NIC.  If it is just one
system, you can use a crossover cable instead of a hub.

If the internal server you are using for this is also your file server,
DONT!  Put together a separate $300-400 box for the DMZ.

> Exchange Mail - NAT 208.149.174.60 port 25/MAPI/POP3 to 10.1.1.26
> port 25/MAPI/POP3 

Again, more of the same.  I recommend you put SMTP/POP3 in your DMZ.  As
far as MAPI, keep your MAPI services internal -- and have it forward any
outbound SMTP to (and inbound from) the DMZ server.  Most MAPI E-mail
clients allow both MAPI and standards-based E-mail at the same time.

> Enable outbound FTP, SMTP (outbound and inbound),

Again, I'd make all incoming SMTP have to go through the DMZ.

> DNS, ICMP echo, nslookup,

DNS = nslookup.  You just need UDP-TCP/DNS outbound, non-SYN-TCP/DNS
inbound.

> telnet, terminal sercice (inbound and outbound),

You mean NT Terminal Server/Citrix Winframe?  I'm curious how its
security works.  Let me guess, the Microsoft libraries, right?

> SSH, and PCanywere.

Don't like Symmantec pcAnywhere myself, especially since SSH+VNC does
the same thing.  And I've done some recent testing with BackOrifice and
find its security is much, much better than some of the Microsoft,
Symmantec and other admin tools that just use the built-in MS security.

The only thing I like about Symmantec is their CEO.  He's 180 degrees
from Microsoft Linux security -- he believes OSS means white/gray hat
hackers have the code, and they are more numerous than black hat hackers
(who are the only ones who get the closed source code).

-- Bryan

-- 
Bryan J. Smith, Engineer        mailto:b.j.smith@ieee.org
AbsoluteValue Systems, Inc.     http://www.linux-wlan.org
SmithConcepts, Inc.          http://www.SmithConcepts.com
---------------------------------------------------------
1999 IRS Data:  The top 1% of income earners pay over 36%
of the taxes, but have less than 20% of the total income.

Previous message: [KLUG Members] (no subject)
Next message: [KLUG Members] Need latest AbiWord, Evolution for SC-INC Desktop Rollout
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]