On Thu, 24 Oct 1996, Ron DuFresne wrote:
> > Set up a machine in your DMZ that does the NFS transfers. Block this
> > machine entirely from your inside network except for the FTP proxy port
> > and use ftp to pull the files inside your protected area. This NFS machine
> > should be a throwaway that is dedicated to this one function and has no
> > other services running and is blocked at the router on all ports except
> > those used by NFS and blocked at the firewall on all ports except those
> > used by the ftp proxy.
> Not only a throw away, but isn't this machine also a site that's going to
> be used for warez and and other nasties. What's the responsibility of
> the owners of this machine should illegal SW find it's way there, which
> it will?
When I said "is blocked at the router on all ports except those used by
NFS", I should have clarified by saying that only the IP addresses used by
the outside org would have access via NFS. All packets from other IP
addresses would be blocked at the router and even the outside org would be
able to do nothing except access an NFS directory. If this machine is
truly stripped down, i.e. delete all unneeded binaries and only do admin
work at the console or via ssh, then I don't see how a hacker could break
in and even if they did all they would have access to is a hard drive.
Michael Dillon - ISP & Internet Consulting
Memra Software Inc. - Fax: +1-604-546-3049
http://www.memra.com - E-mail: michael @