Re: XP box inside the firewall

To: debian-security@lists.debian.org
Subject: Re: XP box inside the firewall
From: Kjetil Kjernsmo <kjetil@kjernsmo.net>
Date: Fri, 1 Aug 2003 18:28:43 +0200
Message-id: <[🔎] 200308011828.43982.kjetil@kjernsmo.net>
In-reply-to: <20030730214418.GA25910@jcop.homelinux.com>
References: <200307301401.06309.kjetil@kjernsmo.net> <20030730120944.GA31771@flexo.xssass.be> <20030730214418.GA25910@jcop.homelinux.com>

On Wednesday 30 July 2003 23:44, Jeff wrote:
> > You can set the notebook on a different network. Put the
> > firewall/router on that network with another nic. It's the
> > principle of a dmz... By putting the notebook on another network,
> > and prohibitting access from that network to the internal network,
> > you can keep your internal systems safer...

Yeah, actually, I had been thinking about it. I recently got an old 3Com 
ISA card for NOK 5 (~ USD0.7) so I think I could insert another NIC. 
They talked about having a Wi-Fi base station, so I thought I'd keep it 
open but on a separate NIC so I can see what is going through there. 
That's what I intended to use it for. But when you mention it, treating 
the Windows box as a random machine trying to connect, that may be a 
good idea.

> This is a good option.  In addition, or even instead of this, educate
> your parents about your security concerns.  Assuming that you trust
> your parents, education could be the simplest solution.

Well, I think the concern is mostly having a windows box on the inside, 
because it is not an option for them to not open attachments in mails 
they receive. Thus far, it has been relatively easy to identify e-mails 
with viruses, but it not difficult to envision a virus coming piggyback 
on an attachment you do expect from a sender you usually trust, and I 
think it is quite unlikely that there isn't a vulnerability in e.g. 
Word that can be exploited to make Word execute a script in a Word file 
regardless of if it is disabled. 

So, my education of them has been pretty much "be aware that this box 
can easily be exploited, therefore, make sure there is nothing on that 
box that you would want to keep to yourself, and nothing that is not 
stored on the Linux workstation). Then, I have taken it upon myself to 
make sure that the box will not hurt the internal network or the rest 
of the Internet. 

Cheers,

Kjetil
-- 
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
kjetil@kjernsmo.net  webmaster@skepsis.no  editor@learn-orienteering.org
Homepage: http://www.kjetil.kjernsmo.net/        OpenPGP KeyID: 6A6A0BBC

Reply to:

Prev by Date: Re: honeyd and libdnet
Next by Date: Heads up: [lcamtuf@ghettot.org: [Full-Disclosure] Postfix 1.1.12 remote DoS / Postfix 1.1.11 bounce scanning]
Previous by thread: Re: honeyd and libdnet
Next by thread: Heads up: [lcamtuf@ghettot.org: [Full-Disclosure] Postfix 1.1.12 remote DoS / Postfix 1.1.11 bounce scanning]
Index(es):
- Date
- Thread