Tell him he you could easily setup iptables to restrict outgoing connection ie: you can telnet it but not telnet out, or send packets in but not out. I have worked on many servers that have this feature used ie: compaqs testdrive program. I also use this feature in one of my free shell servers.
>From: Brian Furry <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: [EMAIL PROTECTED] >Subject: Help >Date: Fri, 3 May 2002 18:14:15 -0400 (EDT) >MIME-Version: 1.0 >Received: from [65.125.64.134] by hotmail.com (3.2) with ESMTP id >MHotMailBE9C5876007E4004325E417D408606C30; Fri, 03 May 2002 15:21:42 -0700 >Received: (qmail 3047 invoked by uid 38); 3 May 2002 22:14:31 -0000 >Received: (qmail 2733 invoked from network); 3 May 2002 22:14:21 -0000 >Received: from lithium.nac.net (64.21.52.68) by murphy.debian.org with >SMTP; 3 May 2002 22:14:21 -0000 >Received: (qmail 99879 invoked from network); 3 May 2002 22:14:19 -0000 >Received: from unknown (HELO euler.nac.net) (207.99.6.85) by mail.nac.net >with SMTP; 3 May 2002 22:14:19 -0000 >Received: from brian (helo=localhost)by euler.nac.net with local-esmtp >(Exim 3.12 #1 (Debian))id 173lJh-00007l-00for ><[EMAIL PROTECTED]>; Fri, 03 May 2002 18:14:17 -0400 >From bounce-debian-security Fri, 03 May 2002 15:23:19 -0700 >X-Envelope-Sender: [EMAIL PROTECTED] >Message-ID: <[EMAIL PROTECTED]> >Sender: Brian Furry <[EMAIL PROTECTED]> >X-Spam-Status: No, hits=0.0 required=4.7 tests= version=2.01 >Resent-Message-ID: <uMdIKB.A.Yv.Gvw08@murphy> >Resent-From: [EMAIL PROTECTED] >X-Mailing-List: <[EMAIL PROTECTED]> archive/latest/7106 >X-Loop: [EMAIL PROTECTED] >List-Post: <mailto:[EMAIL PROTECTED]> >List-Help: <mailto:[EMAIL PROTECTED]?subject=help> >List-Subscribe: ><mailto:[EMAIL PROTECTED]?subject=subscribe> >List-Unsubscribe: ><mailto:[EMAIL PROTECTED]?subject=unsubscribe> >Precedence: list >Resent-Sender: [EMAIL PROTECTED] > > >Hello: > >I am in the process of getting a debian server in the high school that I >teach in. The network admin is concerned about the security of the >exsisting Novell Server, border manager, etc. Our ISP is very picky >about not hogging more bandwidth than we are suppossed to use. > >I have been carefully pushing for a debian linux server for about 3 years >and now I am very close to getting one for my students to program on. The >network admin is the last person I need to sign off on.... > > >Below is a message from him, that I need to reply to in order for him >to sanction the machine. I would like some help in creating a reponse >to sooth his anxiety and fears. > > >********************************************** > >I have described the Linux project, its uses, and its physical placement >within our network, to four knowledgeable people, and asked for their >thoughts and recommendations. > >A. Partner in a consulting company based in Hunterdon County. Their >mission is to encourage Linux use in small/medium companies. > >B. Lt. Col. (ret.) USAF, now a contractor for the Air Force (process >compliance and Unix network administrator) > >C. Network technician. This person builds wide-area networks for >corporations and financial institutions > >D. Computer consultant. This person has extensive employment experience >(programming, documentation, database, networking) with HP, Agilent, and >others. Husband and brother also do design work for top computer firms. > > >They all insisted that a dedicated firewall is a requirement. They are >unanimous in their exhortation that the server be properly secured. "B" >gave specific items to examine in this regard, and "A" offered to scan it >from inside and outside our building. > >"A," "B," and "C" state that, even if it IS properly secured, this does >not prevent some types of malicious behavior. "A" and "B" think that the >risk is no greater than our current setup, while "C" has reservations that >we should not increase our susceptibility, and that the 24-hour >availability of this server leaves us open to mischief. > >I share "C"'s concern. In-school computer use is subject to various >controls, not the least of which is teacher oversight. By design, a >publicly accessible server on which students can run their own programs at >3 a.m. lacks this important security. > >In light of this last point, let me pose a situation: A student loads and >runs a program onto this Linux server which then launches attacks on other >computers or routers on the Internet. Such attacks could be as simple as >participating in a Denial-of-Service attack. In our earlier meeting, you >said that proper settings, permissions, and restrictions could prevent >that. > >Since this is one of the situations for which I am most concerned, can you >give me (in excruciating detail) the steps which would prevent this? > > > > > > > > > >====================================================================== >Brian R. Furry [EMAIL PROTECTED] >============== =============== > > The Power of Open Source can only give the people what > they so richly deserve ... > > stable and flexible computing > > >================ =============== >Debian/GNU Linux www.debian.org >======================================================================= > > >-- >To UNSUBSCRIBE, email to [EMAIL PROTECTED] >with a subject of "unsubscribe". Trouble? Contact >[EMAIL PROTECTED] > _________________________________________________________________ Join the world’s largest e-mail service with MSN Hotmail. http://www.hotmail.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
