Joyce, Matthew <MJoyce@ccia.org.au> [2002-11-11 10:03:10 +1100]: > At the moment I have to ask for ports to be opened on our networks router, > and they are not really happy with me going back to them again and again, > asking for new ports to be opened. > > Should I ask for all access control to be removed from the ip address of the > box, and then secure the box within debian, or is it well worth having that > extra level of security on the router ? The router firewall is a good measure of security. I would keep it. You are only going through this problem during your setup time. After you get things stabilized changes will be rare events. The router admins should be realizing this and should be working with you as you get things set up. Enabling and disabling ports on a router is very easy to do. I myself turn them on one at a time as I turn on that protocol on the new system. That takes things nice and slow at a pace where everything is understood as things change. By sounding like they are frustrated by these requests they are showing that they are both not truly concerned about security and also inexperienced at setting up new networks. > To be able to send and receive emails. SMTP Port 25 > To access email via IMAP and POP3, including ssl. Depending upon your authentification methods you will need different ports. So I can't say. I am not a POP/IMAP expert. Tag, someone else is it for this knowledge. > To access apache, including ssl Port 80, port 443. > To access files via ftp, including ssl. Ew, ftp. I would avoid ftp unless you really need it. Unless you have a new smart router with a stateful inspection module that means opening up all ports. No one will fault you to avoid this. Okay, people will. But stand up to them and face them down. Securing FTP through a firewall can be a challenge. I recommend avoiding trying. If anonymously distributing files have them distributed by your web server instead. Otherwise for uploading have people use ssh. > To access to bos via SSH Port 22. Additionally, subscribe to debian-security-announce. When there is a security update they will send a mail message. This is a very low volume list and has just the information you need. When you get an Security Advisory message, then run 'apt-get upgrade' on your box to make sure you are up to date. This will keep you out of most problems and is a strength of Debian. Be sure to use it. > Also, I would like to be able to be abble to offer staff access to our > network, including nt servers, from their homes, what VPN solutions are > there available for MAC and Win2k clients to connect through a debain box ? Depending upon what type of access you need to provide different options are availble. But you probably won't like them on the Windows environments. They are all too unix-like. If you need to terminal in then putty.exe is a fine ssh capable terminal program. Putty is a workhorse here for windows users. Part of that is pscp.exe which is the putty scp program. Cygwin has SSH and with it you get rsync. Running rsync over ssh is a good way to copy files over WANs. The MAC also has SSH capabilites and I believe niftytelnet is the prefered one here. In any case, check out this for options. http://www.openssh.com/windows.html You will almost certainly want to look into the VNC program, Virtual Network Computing. This is one of those truly good programs that after you use for a while you will wonder how you lived without it. http://www.uk.research.att.com/vnc/ Since I don't do windows that is the limit of my knowledge there. Good luck. Bob
Attachment:
pgpy2DHWsm7at.pgp
Description: PGP signature