l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
December 2: Social gathering
Next Installfest:
TBD
Latest News:
Nov. 18: Club officer elections
Page last updated:
2001 Dec 30 17:04

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Trying to understand my own WAN
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Trying to understand my own WAN



On Mon, 7 May 2001, Jay Strauss wrote:

> Maybe I'd be better off saying what I want to do (rather than what I have),
> and you guys can direct me in the approach.
> 
> I want to have a secure network, where I'll have a DMZ and an Internal LAN.
> I want to be able to run X apps from:
> 
> Internal LAN --> DMZ

Standard "one-way" tcp connections hole in firewall

> Home --> DMZ server

SSH can tunnel X connections per Ted's suggestion.  No separate holes in
firewall needed.

> Home --> Internal LAN servers

This is where "security" enters a gray area... _any_ external access to
an internal LAN is an opening that could be abused.

1) ssh version 1 is known to have weaknesses that can be exploited to gain
access.  For now, ssh v2 doesn't seem to have these known weaknesses.  
That may change.

2) If your home net is compromised, the private keys you use to access
your office net become compromised as well, so your office net is
accessible.

This is the purpose of a DMZ.... put services that need exposure on a
network that you can afford to wipe if it gets cracked.  It has to be
expendable, though you would probably do your best to secure it subject to
the limitation that it has to be externally accessible.

> What pieces of hardware do I need?  What software?  How are they arranged?

Too much work to start explaining this from scratch.  Besides, everyones
needs are a little different, and I have been able to avoid external
access entirely so far.

There are books and howtos that you seem to have some familiarity with.
Your "plan" as presented seemed mostly reasonable, though I don't know
what the portforwarding capabilities of the Linksys are, and LRP
firewalling seems much preferable (to me) to what you could get in a
closed box.

[...]

---------------------------------------------------------------------------
Jeff Newmiller                        The     .....       .....  Go Live...
DCN:<jdnewmil@dcn.davis.ca.us>        Basics: ##.#.       ##.#.  Live Go...
Work:<JeffN@endecon.com>              Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
/Software/Embedded Controllers)               .OO#.       .OO#.  rocks...2k
---------------------------------------------------------------------------


LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.