TechWhirl (TECHWR-L) is a resource for technical writing and technical communications professionals of all experience levels and in all industries to share their experiences and acquire information.
For two decades, technical communicators have turned to TechWhirl to ask and answer questions about the always-changing world of technical communications, such as tools, skills, career paths, methodologies, and emerging industries. The TechWhirl Archives and magazine, created for, by and about technical writers, offer a wealth of knowledge to everyone with an interest in any aspect of technical communications.
Subject:Re: upgrade from 98 to XP From:Andrew Plato <intrepid_es -at- yahoo -dot- com> To:"TECHWR-L" <techwr-l -at- lists -dot- raycomm -dot- com> Date:Tue, 5 Feb 2002 22:39:14 -0800 (PST)
"Sandy Harris" wrote.
> A dual NIC gateway is just a PC (or whatever) set up to act as a
> router. Provided you know how to set it up, it is just as effective
> and can be as secure.
Yes, if the OS is something like Linux or BSD that can be tightened down.
But Windoze...forget it.
> > They are EXTREMELY easy to hack. I have a client who's entire network
was
> > melted down thanks to a dual-nic WinNT gateway. The hacker planted
some
> > nasty crap on the gateway then had his way with the internal machines
> > (about 40 of them).
>
> I'm not sure if NT can be set up securely. People I respect, and who
> know a lot more about NT than I do, say it can, and rely on it for
> some fairly important things. Other folks I also respect just laugh
> at the notion that any Microsoft product can be set up securely.
Windows boxes can be secured, but it takes some tweaking. It just isn't an
OS that is meant for critical network routing.
Generally, Windows boxes work best when their function is limited.
Workstations should remain workstations and servers should have as few
services as possible.
Honestly, the only problem with Winodws boxes is that you can't shut off
some features. Like the administrative shares. Unless you make a rather
clumsy registry edit, those shares are open all the time. Also the
LSASS.EXE process has a nasty habit of opening up high ports and LEAVING
them open.
> The basic rule is do not try to do this unless you know quite a
> lot about the tools you will use, and are willing to put considerable
> effort into securing the box.
Absolutely!
> > And if you do the "DMZ to nowhere"
> > trick (as I described), you'll actually send inbound hack attempts
into
> > oblivion, slowing down script kiddies armed with port scanners.
>
> I missed that. Please repeat here or in off-list mail to me.
Its not a real security solution, but it works well for those SOHO
routers.
Most SOHO routers have an option to configure an internal address as a DMZ
host. Any unsolicited inbound traffic is routed to the DMZ host. Well,
hackers will generally perform port scans on systems first. If you route
those scans to an IP address that does not exist, it will cause the
hacker's scans to run much slower. Essentially, each port the hacker scans
has to time-out before returning a result.
Another trick, if you REALLY want to have fun is to erect a honeypot on
that DMZ host. One of the techs in my office put up a telnet honeypot that
harvested Windows passwords. When anybody tried to connect to it, it would
loopback and connect to their machine and attempt to pull their Windows
password hash. Hee hee...that was fun.
> > If you really want security, the best answer is a true firewall
running
> > something like BSD. These suckers are rock solid. But they are not for
the
> > faint-of-technical-heart. I use one of these in my office (in addition
to
> > about 5 different IDS products). Nothing gets through them.
>
> Yes, but only if you know enough about Unix to set them up right, or
> the application is important enough to contract an expert.
Anitian Security Team at your service. :-) We actually sell a hardened
BSD box as a combo firewall/IDS...the Panther Firewall. Only $1999.00.
What a steal! Buy two, they make great stocking stuffers. What better way
to say "I love you" than with a hardened BSD firewall.
> RFC 1918 allocates three ranges of addresses for private networks:
> 10.0.0.0/8
> 172.16.0.0/12
> 192.168.0.0/16
> so you can assign any range in there for a local net.
>
> Most people use 192.168.0.0/24 or 182.168.1.0/24.
> I'd suggest using anything but 192.168.0.0/24 or 192.168.1.0/24.
I perfer the 10.x.x.x series...less numbers to type. I use 10.0.0.0/25 It
gives me 128 IP addresses, which is more than I could ever use on a small
LAN. On my office network we have close to 45 machines (routers,
firewalls, IDSs, print servers, MP3 servers, you name it).
Andrew Plato
__________________________________________________
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings! http://greetings.yahoo.com
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Did you know you can get RoboHelp certified?
To learn how, visit http://www.ehelp.com/techwr. Be sure to also check out
our special pricing offers and promotions for RoboHelp 2002.
---
You are currently subscribed to techwr-l as: archive -at- raycomm -dot- com
To unsubscribe send a blank email to leave-techwr-l-obscured -at- lists -dot- raycomm -dot- com
Send administrative questions to ejray -at- raycomm -dot- com -dot- Visit http://www.raycomm.com/techwhirl/ for more resources and info.
