We have a dedicated line to connect to the outside world, so security has
become an issue that we need to be concerned about.
In our environment, all the UNIX workstations and X terminals are
isolated from the outside world by a second network card in a Netware
3.11 file server (we have Novell NFS running on the file server). We
don't allow IP packets routing bewteen the two network cards on the
Netware file server (actually one network card is only loaded with
IPX/SPX software and no IP software). All the PC clients have MS-Windows
Socket loaded (Trumpet Windows socket service and Trumpet Windows
application software). That means all the PCs have ftp, telnet, Mosaic
(NCSA Mosaic) client software loaded and can connect to the ftp, telnet,
and Web servers of outside of the world.
We have a FRAD (Frame Realy Assembler/Deassmbler) configured to route IP
packets, and to block IPX/SPX packets.
Our setup is:
Netcom <--> 56k line <--> FRAD <--> Novell LAN <--> Novell Server <-->
NFS LAN <--> UNIX Stations
On our Novell LAN we have:
o x86 Pcs, running MS-Windows Socket loaded (Trumpet Windows socket
service and Trumpet Windows application software), ftp, telnet, Mosaic
(NCSA Mosaic) client software loaded and can connect to the ftp, telnet,
and Web servers of outside of the world.
o A Novell server running Netware 3.11. It is also running Novell-NFS
and has two LAN cards in it. One card is connected to our Novell LAN
running IPX/SPX and the other is connected to our NFS LAN running IP.
Novell-NFS is configured such that it does not route packets between the
Novell and NFS LANs.
o A netmodem running IPX/SPX for in- and out-bound calling.
o An x86 PC running the Lotus Notes server and IPX/SPX.
o An x86 PC running the cc:Mail server application, and IP.
Our FRAD (Frame Realy Assembler/Deassmbler) is configured to allow IP
packet routing, and to block IPX/SPX packets.
My questions are:
1. Are all the PCs secure from attack (because they just have ftp,
telnet, Mosaic client software loaded, but not the server software)?
2. Are our Novell, Notes, servers safe (they only run IPX/SPX on the
LAN, and do not run ftp, telnet, etc., server applications)?
3. Is our cc:Mail server safe (it runs IP and IPX/SPX and it is a server
application)?
4. Are our UNIX hosts safe (all packets are blocked using the Novell-NFS
application)?
5. If the answer to any of the above questions is no, what can we add
(like a firewall router, or other) that can help?
6. We may want to add a news, ftp, Web, telnet, or other server in the
future. What can we do to add these without significantly compromising
our security further?
Since Novell IP Tunneling software can let IPX/SPX packets emulating IP
packets across Internet, are we safe from this kind of attack from the
Internet (attacking network card that just have IPX/SPX software loaded).
|
|
