rammeri @
winternet .
co .
at stated:
>
>
> Assume the following situation:
>
> We are a company with 25 computer systems in a LAN, and with a 64k
> connection
> to the internet.
>
> So ... my question is ... is the following security-shema good or why
> not?
>
> Our LAN is divided into several parts, so we use 192.168.0.0 -
> 192.168.4.0
> for our internet network.
> Between the router to the internet and the first local router, we have
> a firewall-setup with only the linux-kernel-filtering/masquerading.
> The firewall
> allows any connections to be made from the internal-net. But
> disallows any connection but a port 25 that will be forwarded to out
> mail-host in the internal net (even this connection is limited to our
> MX host).
> The firewall disallows incoming ftp-data.
> On the firewall there is NO daemon runnning, not even telnet for
> administration
> or sth. like this.
I have subverted similar setups out of necessity by using procmail and
or elm filters on the mail machine. You will want to make sure that you
are running smrsh on the mail host and that you keep an eye on how people
setup their mail handling. You do not want shell scripts, etc. to be
executed on the mail host based on the content of mail messages unless it
is absolutely necessary. Make sure the basic internet services your
users use function properly to fit your needs or they will figure out
a way to make things work by compromising your security from within.
The other thing I would think about is how are you protecting against
outbound sessions being hijacked while port ( data port in the case
of ftp ) negotiation is in progress.
-Jerry
***************************************************************************
"If you plot a course of events like you plot murder, you'll be fine."
-- M. Harvey
***************************************************************************
References:
|
|
