Inside or outside firewall?
Dar...@mycompany.com
is registered as our mail server, and it routes mail to the server.
We're looking at overhauling the connection from our ISP through to our
network, and the question has come up about moving the GWIA outside the
firewall.
What are the implications in doing this, and how would I need to modify
the GroupWise system to accomplish this?
Thanks in advance.
Jim Michael
> What are the implications in doing this, and how would I need to modify
> the GroupWise system to accomplish this?
The biggest implication is that if you don't put the GWIA in its own
secondary domain outside the firewall, you will need to create filter
exceptions to allow the GWIA to *log in* to the domain server. That is
definitely not a Good Thing.
Why are you wanting to expose the GWIA directly to the internet? When its
behind the firewall you can at least do some good filtering to only let the
absolute necessary ports open.
--
Jim
NSC SYsop
Jim Michael
>
> Then you just have to open two ports (mta port, and 524) to the inside.
If your GWIA is in a separate domain, you only need to allow the MTAs to
communicate.. no 524 necessary (unless you need it to manage the outside
box).
--
Jim
NSC SYsop
Dale Hird
Dale
Tim Wohlford
I routinely run GW machines naked to the 'net (no firewall), but I (so far)
have only deployed GW on Netware boxes. As far as I can tell, the only
thing I need to make sure of is that the relaying is turned off. I've done
lots of searching, and can find no cases of such a server being hacked, at
least in the way that a Windows box is hacked. Quite frankly, the scripts
and executables just don't run on NetWare.
I would definitely hesitate to run a Windows box w/o a firewall.
Tim Wohlford, CNE
<Dar...@mycompany.com> wrote in message
news:TKbQb.937$vr5...@prv-forum2.provo.novell.com...
Jim Michael
>
> I'm thinking that this would depend on the OS of your GWIA machine.
>
> I routinely run GW machines naked to the 'net (no firewall), but I (so far)
> have only deployed GW on Netware boxes. As far as I can tell, the only
> thing I need to make sure of is that the relaying is turned off. I've done
> lots of searching, and can find no cases of such a server being hacked, at
> least in the way that a Windows box is hacked. Quite frankly, the scripts
> and executables just don't run on NetWare.
>
> I would definitely hesitate to run a Windows box w/o a firewall.
Somewhat valid point, but I wouldn't expose a NW box "naked" to the
Internet, myself, unless it were specialized and locked down like a
BorderManger server. Just allowing port 524 to the internet means people can
attempt to log into your tree. I don't want that. There are also some
various services running by default on a NW box that *could* be exploited,
just like any NOS.
--
Jim
NSC SYsop
Tim Wohlford
> Somewhat valid point, but I wouldn't expose a NW box "naked" to the
> Internet, myself, unless it were specialized and locked down like a
> BorderManger server. Just allowing port 524 to the internet means people
can
> attempt to log into your tree. I don't want that. There are also some
> various services running by default on a NW box that *could* be exploited,
> just like any NOS.
> --
Not to disagree w/ a Sysop (but such seems to be my bent).....
When have you ever heard of some on successfully loging on to a NetWare
server from outside? Anyone document such a thing happening?
Tim Wohlford
Jim Michael
> Not to disagree w/ a Sysop (but such seems to be my bent).....
Hehehe... have no fear, we have thick skins, and can (sometimes) admit when
we're wrong <g>
> When have you ever heard of some on successfully loging on to a NetWare
> server from outside? Anyone document such a thing happening?
Personally, I have not seen it myself. But why in the world should I provide
a "portal" into my network for someone to bang away on, until they guess a
userID/password combo? Or more likely, they don't need to even guess userIDs
because they may be a disgruntled employee, etc. It's just a risk I'm not
willing to take, since there is no valid reason to expose a NW server to the
Internet for NCP logins.
--
Jim
NSC SYsop
Tim Wohlford
443, etc) you have a vulnerable box. So long as anyone can touch it it's
vulnerable. There is no such thing as "perfect security" in any part of
life. BM won't cure that, nor will any firewall appliance.
What I'm suggesting is that the likelihood of someone exploiting the Novell
ports is, at best, theoretical and to my knowledge never done in the wild.
If such a thing was done, a smart hacker would call up Novell and sell the
technology as a good replacement for NetDrive.
I've got 8 or so GW boxes out there, none running a firewall, and none
hacked. I can find no evidence of any NetWare box ever being hacked from a
'net connection. I've got 2 W2K boxes, with current service packs and long
complicated passwords, and both have been hacked by both slammer and script
kiddies, both being scanned several times a day.
Tim
"Jim Michael" <jkmi...@myrealbox.com> wrote in message
news:40167B17...@myrealbox.com...
Jim Michael
>
> So long as you have the usual "cast of characters" open (ports 23, 25, 80,
> 443, etc) you have a vulnerable box. So long as anyone can touch it it's
> vulnerable. There is no such thing as "perfect security" in any part of
> life. BM won't cure that, nor will any firewall appliance.
All very true, but why expose more ports that you need to, is all I'm saying
;-) And I "slightly" disagree with the comment about BorderManager... what
you say is tru for filters, but not for proxy services. When I expose my web
server via "port 80" to the internet via reverse-proxy, no web client ever
actually "touches" my real web server. Same goes for SMTP proxy, etc.
> What I'm suggesting is that the likelihood of someone exploiting the Novell
> ports is, at best, theoretical and to my knowledge never done in the wild.
> If such a thing was done, a smart hacker would call up Novell and sell the
> technology as a good replacement for NetDrive.
I'm not talking about "hacking" NetWare in the sense of finding an unknown
exploit... those are indeed very rare on NetWare. I'm referring to simply
allowing your server to be "tried" (via any NW client) to be logged into.
There is no need whatsoever to make a NW box publicly log-in-able, so to
speak. That's what VPNs are for <g>
> I've got 8 or so GW boxes out there, none running a firewall, and none
> hacked. I can find no evidence of any NetWare box ever being hacked from a
> 'net connection. I've got 2 W2K boxes, with current service packs and long
> complicated passwords, and both have been hacked by both slammer and script
> kiddies, both being scanned several times a day.
Sure, I have no doubt! I guess my core point is that there is no good reason
to put ANY box directly on the Internet (NetWare or otherwise) these days.
With the advent of stateful filters and reverse proxies, the entire concept
of "keeping a server outside my LAN in case it's hacked" is an unnecessary
worry.
--
Jim
NSC SYsop
Bill Sappington
Real World Experience tells me the following:
NetWare is pretty much bullet proof.
I have been running several NetWare servers naked to the net for years
now, everything from 5.0 to 6.5 and not ONE of them has been damaged or
lost data. Am I playing the odds here? I don't think so. I think
NetWare was written with security as a top priority and therefor its
ready to take on the world.
I have searched repeatedly for exploits and hacks for NetWare and it
_always_ comes down to either having a packet sniffer on the LAN (
unencrypted password=On ) or physical access to the server itself.
I consider it a benefit to be able to directly log into to servers with
the NetWare client across the internet and so do my clients as they do
it routinely with laptops and whatnot.
Do I enforce rigorous password security,rotation,length and content? you
bet! Do I have intruder detection turned on? oh yeah! Intruder
detection gives NO second chances, you muff you password more then three
times and you are just locked out until you are reset.
The ability to login directly to the server, without the hassles of
VPN's, Firewalls, etc. etc and STILL remain secure has made NetWare the
NetOS of choice for me and the clients I serve. If there is a
compelling reason to run out on a VPN, I set them up and they work just
fine. NetWare by default has the most minimal set of services open and
those that are open are as close to hack proof as your going to find.
I have yet to see the GWIA, POA or MTA hacked or damaged.
Until something comes along that can get past the gates, I consider
NetWare to be the most secure NOS you can purchase, bar none.
Tim Wohlford
can tell how nervous the EMT is by how much oxygen (O2) they're giving the
patient." In other words, EMTs are famous for giving O2 to people who have
no signs of breathing troubles, and cranking up the O2, just to make them
(the EMT) feel like they were doing something to help the patient. The
worse te patient seemed to be, the more the O2 was cranked, even if the
lungs were workin fine.
There are some security measures that seem to be in the same catagory. One
is a VPN, where people seem to feel better when they have one. It's always
amusing to see people be fanatical about VPNs only to have totally unsecured
workstations at the other end, or see them run SSL thru such a pipe (VPN not
needed). Heck, I've got one client where the previous tech set up a VPN
inside of the office's LAN to connect to the Netware server (no, I have no
clue why, in a 2-person heating and cooling office, he did this). In fact,
VPNs only maintain a "titanium pipe" between point A and point B, negating
"man in the middle" (or "woman in the middle" if you're talking about Laura
Chappel), but Novell's features (like NetDrive, iFolder, GW and NetStorage)
use SSL and were designed so that we didn't need to deploy VPNs.
The other one seems to be firewalls. Granted, Windows boxes are open to
hacking, and you need to hide those as much as possible to the 'net.
However, as we've noted, firewalling a NetWare box is pretty much a useless
act in that NetWare really needs no firewall. My clients (all small
businesses) have a NetWare box that's set up for BM, with 2 NICs and the
NAT-ing, which then feeds 'Net to the LAN. On top of that, there's always a
router, so the 'net traffic gets NAT'd twice before it hits the LAN.
Anyway, the only boxes I've had hacked in such a configuration were due to
spyware, which can't be stopped by a firewall. Firewalls are great if you
want to restrict employee conduct, or if you want to stop outgoing
virus-induced traffic, but so long as there are any ports open you've got
vulnerabilities, and a firewall won't stop that.
Tim Wohlford, CNE
"Bill Sappington" <Bi...@nospam.oaksystems.com> wrote in message
news:40198A55...@nospam.oaksystems.com...
Tim Wohlford
> All very true, but why expose more ports that you need to, is all I'm
saying
> ;-) And I "slightly" disagree with the comment about BorderManager... what
> you say is tru for filters, but not for proxy services. When I expose my
web
> server via "port 80" to the internet via reverse-proxy, no web client ever
> actually "touches" my real web server. Same goes for SMTP proxy, etc.
Last time I got hacked it was due to BM37's infamous open proxy situation.
Spammer gained access to the M$ box via port 25 and then sent out tons of
porno spam via the proxy. I hate them. Okay, I should learn how to do them
better, but I still distrust them.
Tim Wohlford
Bill Sappington
very important.