drew
|
|
Connectivity with dedicated communications machine
| 
Jun 6 18:35 UTC 1999 |
My network, group DEITY, includes the following machines:
VAHL: (Comp room)
Pentium 133
128MB (4*32M, 72 pin)
IDE0: Master = WD 4gig
IDE1: Master = DRCDROM 32x; Slave = Acer 6x2 CDR
Floppy: 3.5"
PS2: Mouse
Serial: COM3, COM4
Parallel: (Diablo color)
ISA:
Serial 8250: COM1, COM2, Game (joyst), Parallel (disabled)
Soundblaster 8
PCI:
VGA Cirrus Logic 2MB
Ethernet Realtek 8029
APOLLO: (Basement)
Intel 486sx25
6MB (2MB permanent, 4*1MB, 30pin)
VGA
Serial 8250: COM1
PS2: Mouse
Parallel: enabled/unused
ISA:
Adaptec AHA1542C Scuzzy:
0: Olympus 230MB Mag-op (removable media)
3: IBM 500MB
Floppy: 5.25"
Ethernet Realtek 8019
AADRA: (Comp room)
AMD 486DX3/100
24MB (8M 72pin + 4*4MB 30pin)
VLB:
VGA Cirrus Logic
Multi-IO:
IDE0: Master = WD 512MB; IDE1: Unused
COM1: (33.6K external) COM2: Mouse
Floppy: Dual 3.5"(A)/5.25"(B)
ISA:
3Com Etherlink III
Vahl and Aadra share a monitor (via an A/B switch) and a keyboard
(via two DPDT switches) due to space limitations, and because only
one of my monitors displays 800 by 600 or better.
While Aadra has DOS and Linux installations, for the forseeable
future it will need to run Windows NT almost exclusively, due to
ISP requirements. This machine is set aside for communications, so
as to minimize exposure and inconvenience in use of the other
machines. The idea is to give the net worms a machine to screw around
with that's not critical, while denying them access to - or even
knowledge of - anything else. However, it will still be necessary for
me to be able to move information back and forth between Aadra and
the other machines. So it is provided with ethernet connectivity.
The other machines will have NT installations - which takes care
of communications except for the security aspect - but may also be
running Linux or Windows 3.1 or plain DOS. This is where I am calling
for advice:
* Set the share permissions on the other two machines to allow each
other full access to shared volumes, but deny all access to Aadra.
* Enable mounting of Aadra's volumes via the network on either Vahl
or Apollo - as network drives - regardless of whether the latter
machines are running NT, Linux, Win 3.1, or DOS.
(I know about Samba - it seems to allow access of a Linux box from
NT, but the other way around - which I would need - seems uncertain.)
Advice? Comments? URLs?
|
dang
|
|
response 1 of 3:
|
Jun 8 02:21 UTC 1999 |
Linux, at least, has built in smb client access in it's kernel. I'm not
sure how far back it goes, but it's there in my old 2.0.35 kernel. I've
never used it. My file server runs linux with samba/nfs, so my linux
boxes connect via nfs, and my windows boxes via smb. If I really need
to get something between linux and windows, I walk to the windows
maching and use ftp.
As far as securing your internet box, I don't have too much NT
experience in security, but I have extensive 9x experience. In 9x, you
can individually bind the File and Printer sharing to the instances of
the protocols. I, for example, have ADSL to Ameritech. I have a Win 98
box running that on one side and ethernet on the other. I don't have
the File and Printer sharing bound to the TCP/IP on the ADSL side, but I
do have it on the Ethernet side. Thus, people inside can get the shared
drive, people on the outside cannot. I believe NT has a similar
ability. I do know that NT has the option of turning packet forwarding
on and off. You definately want it off, otherwise the internet can get
at your other interface, if not the rest of the network.
If you really are getting people on the internet beating on your
firewall, I'd definately recommend something other than NT. I know of
two ways to reliably crash an NT box from the outside. I know of no
such way to crash Linux, and [Open|Net|Free]BSD is better.
|
drew
|
|
response 2 of 3:
|
Jun 8 21:15 UTC 1999 |
I'm not sure I would regard my comm box as a Firewall in the traditional
sense. Probably nothing is going to happen, but I thought it prudent to
separate internet contact from everything else. The idea is to *expect* the
comm box to have security breaches, and keep on it *only* what it needs to
do its job.
As for not using NT: The ISP I connect through has the rare advantage of
charging $0 per month, with $0 setup. (They didn't even ask for a credit card
number, like I expected.) As it seems to provide unfettered packet moving,
I'd like to keep using it, since doing so eliminates a measurable drain on
a currently non-renewable resource. (They are about the latest quality of
Driven, without the $13/month cost. I shan't complain too much.)
The drawback of this is that they fund their operations with advertizing,
which means they want special software run to display ads, and their stuff
requires one of the Microsoft 32-bit OSes. The purpose of the dedicated
machine is to be the sacrificial Windows box, and also to isolate any wierd
stuff that this ISP might try.
|