Re: Help

To: debian-security@lists.debian.org
Subject: Re: Help
From: Carel Fellinger <cfelling@iae.nl>
Date: Sat, 4 May 2002 02:49:50 +0200
Message-id: <[🔎] 20020504024950.B10478@animus.fel.iae.nl>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] Pine.LNX.4.21.0205031803140.339-100000@euler.nac.net>; from brian@euler.nac.net on Fri, May 03, 2002 at 06:14:15PM -0400
References: <[🔎] Pine.LNX.4.21.0205031803140.339-100000@euler.nac.net>

On Fri, May 03, 2002 at 06:14:15PM -0400, Brian Furry wrote:
> 
> Hello:
> 
> I am in the process of getting a debian server in the high school that I
> teach in.  The network admin is concerned about the security of the
> exsisting Novell Server, border manager, etc.  Our ISP is very picky
> about not hogging more bandwidth than we are suppossed to use.
> 
> I have been carefully pushing for a debian linux server for about 3 years
> and now I am very close to getting one for my students to program on. The
> network admin is the last person I need to sign off on....

Much depends on the exact setup. And there I've to guesh:)

> They all insisted that a dedicated firewall is a requirement.  They are

Here I'm confused.  What has this to do with your new server and what
has it to do with it being linux based?

I'm just guessing here, but I take it that your new server wont have a
direct connection to the internet, i.e. there is no telefoon nor a
cable modem hooked up to it.  Instead it uses the localnet to route
all its internet traffic via an other local machine.  That *other*
local machine should be a firewall and it should be there regardless
of your new server to protect your local network from the web, though
it probably needs to be reconfigured / adapted to deal with your new
server.  I sure hope they do have that firewall in place right now,
whether it's a single machine firewall or a double layered (bastion
type) one.

Or are they insisting to insulate the localnet from your new server?
In that case they should realize that anybody who brings in a laptop
is a big security risk for your localnet, so your localnet should be
setup to cope with it and your new server is not really changing that.
And, related, how are other machines protected against misuse?  It's
for example easy to bring in a CD with lots of nasty programs to run
from any Windows machine in the localnet.

Or is your new server to be available from outside?  In that case it
really should be insulated from the localnet.  Best is to put it in
a DMZ appart from the localnet, directly connected to the already
existing firewall.

Or is your new server physically accessibly?  Then they should realise
that most physically accessibly machines can be easily overtaken by
bringing in a CD or even a floppy unless that machine has been secured
in other ways.  Secure the box so it can't be opened, add a passwd on
the BIOS setup (and pray there isn't a generic passwd for that
particular BIOS like there is for most BIOSses), disallow booting from
removable media in the BIOS and configure your bootloader (lilo,
GRUB?) to need a passwd for special boots too.  Again, things that
need to be done for any machine it the localnet regardless of whether
it's a linux or a Windows based machine.

> unanimous in their exhortation that the server be properly secured.  "B"
> gave specific items to examine in this regard,  and "A" offered to scan it
> from inside and outside our building.  
> 
> "A,"  "B,"  and "C" state that, even if it IS properly secured, this does
> not prevent some types of malicious behavior.  "A" and "B" think that the
> risk is no greater than our current setup, while "C" has reservations that
> we should not increase our susceptibility, and that the 24-hour
> availability of this server leaves us open to mischief.
> 
> I share "C"'s concern.  In-school computer use is subject to various
> controls, not the least of which is teacher oversight.  By design, a
> publicly accessible server on which students can run their own programs at
> 3 a.m. lacks this important security. 

Ah, so it is accessible from the net.  Go for a DMZ then.  If your
school already offers public services, then such a DMZ should already
be in place, just hook your new server in, adjust the rules in the
firewall(s) that insulate the localnet from your public service machines.

And allow ssh access in only!

> In light of this last point, let me pose a situation:  A student loads and
> runs a program onto this Linux server which then launches attacks on other
> computers or routers on the Internet.  Such attacks could be as simple as
> participating in a Denial-of-Service attack.  In our earlier meeting, you
> said that proper settings, permissions, and restrictions could prevent that.  
Simply setup the DMZ to allow only ssh access to that box and disallow
all other access.  Moreover, don't route anything from that new server
but the ssh connection.  Again, the standard things regardless of whether
it's a linux or a Windows based machine.

-- 
groetjes, carel

-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- Help
  - From: Brian Furry <brian@euler.nac.net>

Prev by Date: Re: Help
Next by Date: can't get .shosts authentication to run
Previous by thread: Re: Help
Next by thread: Re: Help
Index(es):
- Date
- Thread