Re: upgrade from 98 to XP

Subject: Re: upgrade from 98 to XP
From: Andrew Plato <intrepid_es -at- yahoo -dot- com>
To: "TECHWR-L" <techwr-l -at- lists -dot- raycomm -dot- com>
Date: Tue, 5 Feb 2002 22:39:14 -0800 (PST)

"Sandy Harris" wrote.

> A dual NIC gateway is just a PC (or whatever) set up to act as a
> router. Provided you know how to set it up, it is just as effective
> and can be as secure.

Yes, if the OS is something like Linux or BSD that can be tightened down.
But Windoze...forget it.

> > They are EXTREMELY easy to hack. I have a client who's entire network
was
> > melted down thanks to a dual-nic WinNT gateway. The hacker planted
some
> > nasty crap on the gateway then had his way with the internal machines
> > (about 40 of them).
>
> I'm not sure if NT can be set up securely. People I respect, and who
> know a lot more about NT than I do, say it can, and rely on it for
> some fairly important things. Other folks I also respect just laugh
> at the notion that any Microsoft product can be set up securely.

Windows boxes can be secured, but it takes some tweaking. It just isn't an
OS that is meant for critical network routing.

Generally, Windows boxes work best when their function is limited.
Workstations should remain workstations and servers should have as few
services as possible.

Honestly, the only problem with Winodws boxes is that you can't shut off
some features. Like the administrative shares. Unless you make a rather
clumsy registry edit, those shares are open all the time. Also the
LSASS.EXE process has a nasty habit of opening up high ports and LEAVING
them open.

> The basic rule is do not try to do this unless you know quite a
> lot about the tools you will use, and are willing to put considerable
> effort into securing the box.

Absolutely!

> > And if you do the "DMZ to nowhere"
> > trick (as I described), you'll actually send inbound hack attempts
into
> > oblivion, slowing down script kiddies armed with port scanners.
>
> I missed that. Please repeat here or in off-list mail to me.

Its not a real security solution, but it works well for those SOHO
routers.

Most SOHO routers have an option to configure an internal address as a DMZ
host. Any unsolicited inbound traffic is routed to the DMZ host. Well,
hackers will generally perform port scans on systems first. If you route
those scans to an IP address that does not exist, it will cause the
hacker's scans to run much slower. Essentially, each port the hacker scans
has to time-out before returning a result.

Another trick, if you REALLY want to have fun is to erect a honeypot on
that DMZ host. One of the techs in my office put up a telnet honeypot that
harvested Windows passwords. When anybody tried to connect to it, it would
loopback and connect to their machine and attempt to pull their Windows
password hash. Hee hee...that was fun.

> > If you really want security, the best answer is a true firewall
running
> > something like BSD. These suckers are rock solid. But they are not for
the
> > faint-of-technical-heart. I use one of these in my office (in addition
to
> > about 5 different IDS products). Nothing gets through them.
>
> Yes, but only if you know enough about Unix to set them up right, or
> the application is important enough to contract an expert.

Anitian Security Team at your service. :-) We actually sell a hardened
BSD box as a combo firewall/IDS...the Panther Firewall. Only $1999.00.
What a steal! Buy two, they make great stocking stuffers. What better way
to say "I love you" than with a hardened BSD firewall.

> RFC 1918 allocates three ranges of addresses for private networks:
> 10.0.0.0/8
> 172.16.0.0/12
> 192.168.0.0/16
> so you can assign any range in there for a local net.
>
> Most people use 192.168.0.0/24 or 182.168.1.0/24.

> I'd suggest using anything but 192.168.0.0/24 or 192.168.1.0/24.

I perfer the 10.x.x.x series...less numbers to type. I use 10.0.0.0/25 It
gives me 128 IP addresses, which is more than I could ever use on a small
LAN. On my office network we have close to 45 machines (routers,
firewalls, IDSs, print servers, MP3 servers, you name it).

Andrew Plato

__________________________________________________
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Did you know you can get RoboHelp certified?
To learn how, visit http://www.ehelp.com/techwr. Be sure to also check out
our special pricing offers and promotions for RoboHelp 2002.

---
You are currently subscribed to techwr-l as: archive -at- raycomm -dot- com
To unsubscribe send a blank email to leave-techwr-l-obscured -at- lists -dot- raycomm -dot- com
Send administrative questions to ejray -at- raycomm -dot- com -dot- Visit
http://www.raycomm.com/techwhirl/ for more resources and info.



Follow-Ups:

Previous by Author: Re: upgrade from 98 to XP
Next by Author: Re: Home network security WAS Re: upgrade from 98 to XP
Previous by Thread: RE: upgrade from 98 to XP
Next by Thread: Home network security WAS Re: upgrade from 98 to XP


What this post helpful? Share it with friends and colleagues:


Sponsored Ads