I have a client using OpenServer 5.0.5 fully patched for Medical
practice managemnet and accounting application, they have 7 Windows
98/2000 work stations connected to the SCO box through a SMC hub and
using FacetWin to connect, everything is working great, now they would
like to have internet connectivity for Windows based machines, DSL is
not available in there area so I am thinking about ISDN 128K, my real
concern is to keep SCO box hidden from the outside world, so please
advise how can I do that, do I need a dynamic or static IP's from the
ISP, what kind of router/modem should I use, I have Ascend P75 in
stock but open for suggessions.
Thanks
Abid
I'd be more concerned about keeping the windows machines hidden from
the outside world.
You can run ipfilter, ipnat and squid on the Unix box to protect it and
at the same time, hide the windows machines behind it, however it is better
to have a separate box for the firewall.
A static ip is definitely preferable, dynamic ip's make firewalling
more difficult and it is quite difficult for the outside world to find
your system.
--
==========================================================================
Tom Parsons t...@tegan.com
==========================================================================
You can make the SCO box into a firewall with ipfilter (
http://aplawrence.com/Security/ipfilter.html ) but that's a dumb thing
to do. Not using ipfilter- you should do that anyway, but the firewall
should be a separate box or device. I think you already understand
that, and if so, ipfilter is at least part of your answer for keeping it
hidden.
If not, or if you just want a reality check 'cause you haven't done this
before, I have a number of articles relating to this stuff at
http://aplawrence.com/Security. If you are really new to this kind of
thing the following may be particularly useful:
http://aplawrence.com/Basics/internet.html
http://aplawrence.com/Security/dslsecure.html
http://aplawrence.com/Linux/vpn.html
http://aplawrence.com/esmith.html
--
Please note new phone number: (781) 784-7547
Tony Lawrence
Unix/Linux Support Tips, How-To's, Tests and more: http://aplawrence.com
Free Unix/Linux Consultants list: http://aplawrence.com/consultants.html
You only need whatever the DHCP server gives you when you connect via
ISDN or cable modem.
Uplink your current hub/switch to a linsys router
http://www.linksys.com/Products/product.asp?grid=23&prid=20
at
http://accessories.us.dell.com/sna/productdetail.asp?sku=008611
or your local CircutCity, CompUSA, Fry's, etc...
Move the Windows clients to DHCP, read the google groups on how to
convert the SCO box to DHCP, or just move it to a private address that
will be in the same subnet as the rest of your windows boxes.
With Cable modem should take 5 minutes top to be surfing the web.
Haven't installed with ISDN modem.
What a wonderfully concise message about the WORST possible way to
connect a business to the internet.
Yes, the firewall should be a separate box or device.
I know nothing about Ascend, sorry. I prefer a Linux box myself- the
E-Smith referenced at http://aplawrence.com/esmith.html is something
that works very well and can be totally free- your only cost is the
hardware to run it on unless you want support or its other features
(virus scanning, web access control etc.) The reason I prefer this sort
of solution is that it is software- the minute a vulnerability is found
you can fix it yourself rather than waiting for Ascend or whoever to
produce a new bios. Such a setup also has the flexibilty to add your
own customization: you needs an IDS, add Snort, etc. You don't have to
depend on someone else to give you whatever it is you need or want.
Not that I'm adverse to appliance style boxes. I don't mind using a
cheap Dlink or whatever as the first blockage to the outside world- I
just want to have more behind it- like the E-Smith as another firewall
and then not forgetting to lock up the SCO box just as though it were
sitting unprotected. The same care should be taken with the Windows
boxes, thought sometimes that's a harder thing to do politically.
Still, anything you can do can only help.
It never hurts to set up different kinds of watchdogs. One may be
sorely tempted by a hunk of raw meat when the next one in line is not.
The sad fact is that if someone really wants you badly enough, they'll
find a way through anything given enough motivation and time.
Therefore, the more different obstacles you can put in their way the
better. Of course, someone once refuted that by saying "what if one of
your watchdogs is easily corrupted and will help you get by all the
others once it is compromised?" I suppose he has a small point there
but I still think you are better off with multiple levels of armor and
no unnecessary services running even if something else is supposedly
protecting it. For example, if you don't need ftp, you should
absolutely shut it off, but you should also filter it off both at the
firewall(s) AND at the server just in case somebody accidentally turns
it back on. Further, services should be configured for the least
dangerous access possible; telnet shouldn't allow root logins etc.
One bit that I often advise but is seldom followed: last person out at
night disconnects the Internet. An unconnected system can't be hacked
while it's disconnected. At my office, when I shut off the lights, the
routers go dead..but that may not work for everyone.
>> do I need a dynamic or static IP's from the ISP
>> what kind of router/modem should I use
>You only need whatever the DHCP server gives you when you connect via
>ISDN or cable modem.
>Uplink your current hub/switch to a linsys router
>http://www.linksys.com/Products/product.asp?grid=23&prid=20
>at
>http://accessories.us.dell.com/sna/productdetail.asp?sku=008611
>or your local CircutCity, CompUSA, Fry's, etc...
>Move the Windows clients to DHCP, read the google groups on how to
>convert the SCO box to DHCP, or just move it to a private address that
>will be in the same subnet as the rest of your windows boxes.
I've found that keeping all the windows macines and Unix machine on
their own local static IPs is a more maintainable solution. Just a
little bit more work up front - but not much - and it makes
troubleshooting so much easier.
>With Cable modem should take 5 minutes top to be surfing the web.
And even with that you don't need DHCP.
--
Bill Vermillion - bv @ wjv . com
I'm sure I'm not telling you anything new but just wanted to say that
DHCP can hand out static IP addresses based on the network card's MAC.
You get the benefits of DHCP configuring the Winders boxes with the
hassle-free fun of static IPs :-). It is also easier to get a user to
give you the MAC of a new PC, change /etc/dhcpd.conf & /etc/hosts
(possibly /etc/named.d/*) files rather than walk the user through
setting everything manually. The static DHCP also allows the users to
re-install Winders at will (seemingly a common thing with Windows) and
have the machine back on the LAN with little or no fuss.
--
Darryl Krasman
Ideal Computer Group Inc.
>I'm sure I'm not telling you anything new but just wanted to say that
>DHCP can hand out static IP addresses based on the network card's MAC.
>You get the benefits of DHCP configuring the Winders boxes with the
>hassle-free fun of static IPs :-).
I'm aware of that - but I've never had problems with static.
But for awhile I was working with some decent sized networks that
were 'dynamic'. By that I mean we could bring up 500 PCs in a
two-day period and they'd be up for a week to 10 days and then we'd
start all over again. Having static IPs assinged to each machine
made it easy to find out which vendor in which booth had a problem.
Management decided to set up DHCP as it would be easier. First
show that way I got a call from someone on the floor and I could
not help them because there was no quick/easy way to find out the
problems - as a computer next to one that was working could have an
IP assigned that could be in an adjoing /24 block.
Prior to that I could scan the arp address dump on the Cicso and
see where the problems were. [That sucker was BIG - weighed about 150
punds] Maybe you could say I'm a 'control freak' but knowing what
computer has what and that I set it up that way surely made it
easier for me.
The DNS was a bit large - a tar dump of the namedb directory was
about 1MB - with 2500 address in it.
>It is also easier to get a user to give you the MAC of a new PC,
>change /etc/dhcpd.conf & /etc/hosts (possibly /etc/named.d/*)
>files rather than walk the user through setting everything
>manually.
In the above scenario [not a normal operation as you can see]
there would be printed directions for each group of machines that
were easy to follow.
>The static DHCP also allows the users to re-install Winders
>at will (seemingly a common thing with Windows) and have the
>machine back on the LAN with little or no fuss.
Running mixed networks is fun :-). I'd have anything from
any MS Win product, NT, Apple and dedicated routers. It just got
to be second nature. And for >me< made a much easier network
to trouble shoot and diagnose.
Static is not the bugaboo that some people say/think it is, just as
Sendmail is downplayed by many based on problems it had in the far
past.
Bill
Thanks everyone for your help, the concern is SCO box since it
contains patient confidental information and my client is little
nurveos about it, here is another thought and I need some advice on
that, how about if install a second NIC on all the Windows based
machines and connect them directly to the ISDN router and make ISDN
router a gateway, all windows machine are pretty much same, with the
same image and easy to re-image if needed, is this a good and safe
approch to keep SCO box and existing LAN segment out of the loop.
Thoughts and suggession please...
Abid!
Umm. medical? He likely has to meet HIPAA privacy requirements.
> here is another thought and I need some advice on
> that, how about if install a second NIC on all the Windows based
> machines and connect them directly to the ISDN router and make ISDN
> router a gateway, all windows machine are pretty much same, with the
> same image and easy to re-image if needed, is this a good and safe
> approch to keep SCO box and existing LAN segment out of the loop.
Not really. Hack any windows box and you have access to the SCO on its
other nic. The SCO still needs to be strongly locked up as though it
were directly on the internet. I know that's annoying, but it's better
to lock all the doors.
You had better look into HIPAA requirements. There are some people at
http://aplawrence.com/consultants.html who claim competency in that
area, a search at http://aplawrence.com/cgi-bin/search3.pl turns up at
least one but I thought there were more.
Abid,
Tony's right. Unless you've thoroughly studied the HIPAA requirements
for data security, you should refer this to someone who has. As an
example, at one point while the regulations were still in draft there
was a requirement that data exchanges between machines on the local
network had to be encrypted. I don't know whether this requirement
still stands but I do know that there are criminal as well as civil
penalties for mis-handling patient data. Be careful.
Steve Lancour
So you don't receive email on your server? Or you just let it queue
at the backup host overnight?
Depending on what email account we are talking about, yes it queues up
or no I don't receive it here.
I'm a self employed person and generally have been (minus a few moments
of stupidity here and there) since 1977. As I like the sound of cash
moving around in my bank accounts, I like having customers being able to
reach me. For example I keep my old business phone number alive even
though I don't use it for business anymore. Once in a while some
ancient customer calls me on that. Same for email accounts- the old
ones are still alive, and I'll keep 'em that way. I keep old web sites too.
The biggest exception to my "keep it" rule was that I recently dropped
my 800 number after 5 years (!) of fighting with AT&T because they kept
putting MY number on THEIR bills to customers- causing those customers
to call me looking for service or just to scream at me. It cost me
several hundred dollars every month, most of which AT&T did eventuall
credit, but it was still such a pain that I got rid of it.
Only if the windows boxes are never connected to the Unix box. A common
backdoor is to find a windows machine and go through it.