Re: XP box inside the firewall
On Wednesday 30 July 2003 23:44, Jeff wrote: > > You can set the notebook on a different network. Put the > > firewall/router on that network with another nic. It's the > > principle of a dmz... By putting the notebook on another network, > > and prohibitting access from that network to the internal network, > > you can keep your internal systems safer... Yeah, actually, I had been thinking about it. I recently got an old 3Com ISA card for NOK 5 (~ USD0.7) so I think I could insert another NIC. They talked about having a Wi-Fi base station, so I thought I'd keep it open but on a separate NIC so I can see what is going through there. That's what I intended to use it for. But when you mention it, treating the Windows box as a random machine trying to connect, that may be a good idea. > This is a good option. In addition, or even instead of this, educate > your parents about your security concerns. Assuming that you trust > your parents, education could be the simplest solution. Well, I think the concern is mostly having a windows box on the inside, because it is not an option for them to not open attachments in mails they receive. Thus far, it has been relatively easy to identify e-mails with viruses, but it not difficult to envision a virus coming piggyback on an attachment you do expect from a sender you usually trust, and I think it is quite unlikely that there isn't a vulnerability in e.g. Word that can be exploited to make Word execute a script in a Word file regardless of if it is disabled. So, my education of them has been pretty much "be aware that this box can easily be exploited, therefore, make sure there is nothing on that box that you would want to keep to yourself, and nothing that is not stored on the Linux workstation). Then, I have taken it upon myself to make sure that the box will not hurt the internal network or the rest of the Internet. Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: XP box inside the firewall
On Wednesday 30 July 2003 23:44, Jeff wrote: > > You can set the notebook on a different network. Put the > > firewall/router on that network with another nic. It's the > > principle of a dmz... By putting the notebook on another network, > > and prohibitting access from that network to the internal network, > > you can keep your internal systems safer... Yeah, actually, I had been thinking about it. I recently got an old 3Com ISA card for NOK 5 (~ USD0.7) so I think I could insert another NIC. They talked about having a Wi-Fi base station, so I thought I'd keep it open but on a separate NIC so I can see what is going through there. That's what I intended to use it for. But when you mention it, treating the Windows box as a random machine trying to connect, that may be a good idea. > This is a good option. In addition, or even instead of this, educate > your parents about your security concerns. Assuming that you trust > your parents, education could be the simplest solution. Well, I think the concern is mostly having a windows box on the inside, because it is not an option for them to not open attachments in mails they receive. Thus far, it has been relatively easy to identify e-mails with viruses, but it not difficult to envision a virus coming piggyback on an attachment you do expect from a sender you usually trust, and I think it is quite unlikely that there isn't a vulnerability in e.g. Word that can be exploited to make Word execute a script in a Word file regardless of if it is disabled. So, my education of them has been pretty much "be aware that this box can easily be exploited, therefore, make sure there is nothing on that box that you would want to keep to yourself, and nothing that is not stored on the Linux workstation). Then, I have taken it upon myself to make sure that the box will not hurt the internal network or the rest of the Internet. Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: XP box inside the firewall
If adding a DMZ isn't suitable you should cirtainly block cirtain outgoing ports I recomend blocking every outgoing port except thouse that you need (i.e. http, ssh etc) would also recomend blocking outgoing email from everything except the firewall, that way if the windoze box (or any other) picks up a nasty it will not be able to email by itself to the rest of the world... Andy -Original Message- From: Jeff [mailto:[EMAIL PROTECTED] Sent: 30 July 2003 22:44 To: debian-security@lists.debian.org Subject: Re: XP box inside the firewall Kristof Goossens, 2003-Jul-30 14:09 +0200: > On Wed, Jul 30, 2003 at 02:01:06PM +0200, Kjetil Kjernsmo wrote: > > Hi all! > > [snip] > > > The question is really if I could do something in the firewall that > > would help isolate the XP box somewhat. Closing outgoing ports (input > > ports are all closed), drop certain types of packages, or something > > like that? > > You can set the notebook on a different network. Put the firewall/router > on that network with another nic. It's the principle of a dmz... By putting > the notebook on another network, and prohibitting access from that network > to the internal network, you can keep your internal systems safer... This is a good option. In addition, or even instead of this, educate your parents about your security concerns. Assuming that you trust your parents, education could be the simplest solution. jc -- Jeff CoppockSystems Engineer Diggin' Debian Admin and User -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: XP box inside the firewall
If adding a DMZ isn't suitable you should cirtainly block cirtain outgoing ports I recomend blocking every outgoing port except thouse that you need (i.e. http, ssh etc) would also recomend blocking outgoing email from everything except the firewall, that way if the windoze box (or any other) picks up a nasty it will not be able to email by itself to the rest of the world... Andy -Original Message- From: Jeff [mailto:[EMAIL PROTECTED] Sent: 30 July 2003 22:44 To: [EMAIL PROTECTED] Subject: Re: XP box inside the firewall Kristof Goossens, 2003-Jul-30 14:09 +0200: > On Wed, Jul 30, 2003 at 02:01:06PM +0200, Kjetil Kjernsmo wrote: > > Hi all! > > [snip] > > > The question is really if I could do something in the firewall that > > would help isolate the XP box somewhat. Closing outgoing ports (input > > ports are all closed), drop certain types of packages, or something > > like that? > > You can set the notebook on a different network. Put the firewall/router > on that network with another nic. It's the principle of a dmz... By putting > the notebook on another network, and prohibitting access from that network > to the internal network, you can keep your internal systems safer... This is a good option. In addition, or even instead of this, educate your parents about your security concerns. Assuming that you trust your parents, education could be the simplest solution. jc -- Jeff CoppockSystems Engineer Diggin' Debian Admin and User -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: XP box inside the firewall
Kristof Goossens, 2003-Jul-30 14:09 +0200: > On Wed, Jul 30, 2003 at 02:01:06PM +0200, Kjetil Kjernsmo wrote: > > Hi all! > > [snip] > > > The question is really if I could do something in the firewall that > > would help isolate the XP box somewhat. Closing outgoing ports (input > > ports are all closed), drop certain types of packages, or something > > like that? > > You can set the notebook on a different network. Put the firewall/router > on that network with another nic. It's the principle of a dmz... By putting > the notebook on another network, and prohibitting access from that network > to the internal network, you can keep your internal systems safer... This is a good option. In addition, or even instead of this, educate your parents about your security concerns. Assuming that you trust your parents, education could be the simplest solution. jc -- Jeff CoppockSystems Engineer Diggin' Debian Admin and User
Re: XP box inside the firewall
Kristof Goossens, 2003-Jul-30 14:09 +0200: > On Wed, Jul 30, 2003 at 02:01:06PM +0200, Kjetil Kjernsmo wrote: > > Hi all! > > [snip] > > > The question is really if I could do something in the firewall that > > would help isolate the XP box somewhat. Closing outgoing ports (input > > ports are all closed), drop certain types of packages, or something > > like that? > > You can set the notebook on a different network. Put the firewall/router > on that network with another nic. It's the principle of a dmz... By putting > the notebook on another network, and prohibitting access from that network > to the internal network, you can keep your internal systems safer... This is a good option. In addition, or even instead of this, educate your parents about your security concerns. Assuming that you trust your parents, education could be the simplest solution. jc -- Jeff CoppockSystems Engineer Diggin' Debian Admin and User -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: XP box inside the firewall
Installing Woody on your parents laptop ? On Wed, 2003-07-30 at 14:01, Kjetil Kjernsmo wrote: > Hi all! > > It seems I have to have an Windows XP box inside the firewall for some > time to come... :-( (It's not my network, it's my parent's, and they > have a laptop with XP, their workstation is allready on Woody). > > What I'm worried about is that someone may get into the XP box (by > sending a trojan by e-mail for example), and so have something on the > inside they can use to take down the rest of the network. It would be a > lot more serious if they got to the workstation or the router/firewall > itself, because they are almost always on. My parents know that they > shouldn't have anything of value on the laptop as long as it running > XP. > > The question is really if I could do something in the firewall that > would help isolate the XP box somewhat. Closing outgoing ports (input > ports are all closed), drop certain types of packages, or something > like that? > > Any ideas? > > Cheers, > > Kjetil > -- > Kjetil Kjernsmo > Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer > [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] > Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC >
Re: XP box inside the firewall
On Wed, Jul 30, 2003 at 02:01:06PM +0200, Kjetil Kjernsmo wrote: > Hi all! [snip] > The question is really if I could do something in the firewall that > would help isolate the XP box somewhat. Closing outgoing ports (input > ports are all closed), drop certain types of packages, or something > like that? You can set the notebook on a different network. Put the firewall/router on that network with another nic. It's the principle of a dmz... By putting the notebook on another network, and prohibitting access from that network to the internal network, you can keep your internal systems safer... Hope this helps, Kristof -- Digital fingerprint: F56F F987 0E0C AFF8 0B6D 7CA1 F152 E07D 72AF 337B pgp9lSZU90Wj2.pgp Description: PGP signature
Re: XP box inside the firewall
Installing Woody on your parents laptop ? On Wed, 2003-07-30 at 14:01, Kjetil Kjernsmo wrote: > Hi all! > > It seems I have to have an Windows XP box inside the firewall for some > time to come... :-( (It's not my network, it's my parent's, and they > have a laptop with XP, their workstation is allready on Woody). > > What I'm worried about is that someone may get into the XP box (by > sending a trojan by e-mail for example), and so have something on the > inside they can use to take down the rest of the network. It would be a > lot more serious if they got to the workstation or the router/firewall > itself, because they are almost always on. My parents know that they > shouldn't have anything of value on the laptop as long as it running > XP. > > The question is really if I could do something in the firewall that > would help isolate the XP box somewhat. Closing outgoing ports (input > ports are all closed), drop certain types of packages, or something > like that? > > Any ideas? > > Cheers, > > Kjetil > -- > Kjetil Kjernsmo > Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer > [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] > Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: XP box inside the firewall
On Wed, Jul 30, 2003 at 02:01:06PM +0200, Kjetil Kjernsmo wrote: > Hi all! [snip] > The question is really if I could do something in the firewall that > would help isolate the XP box somewhat. Closing outgoing ports (input > ports are all closed), drop certain types of packages, or something > like that? You can set the notebook on a different network. Put the firewall/router on that network with another nic. It's the principle of a dmz... By putting the notebook on another network, and prohibitting access from that network to the internal network, you can keep your internal systems safer... Hope this helps, Kristof -- Digital fingerprint: F56F F987 0E0C AFF8 0B6D 7CA1 F152 E07D 72AF 337B pgp0.pgp Description: PGP signature