Grex Micros Conference

View Responses

Grex Micros Item 205: Connectivity with dedicated communications machine
Entered by drew on Sun Jun 6 18:35:30 UTC 1999:

My network, group DEITY, includes the following machines:

VAHL: (Comp room)
  Pentium 133
  128MB (4*32M, 72 pin)
  IDE0: Master = WD 4gig
  IDE1: Master = DRCDROM 32x; Slave = Acer 6x2 CDR
  Floppy: 3.5"
  PS2:  Mouse
  Serial: COM3, COM4
  Parallel: (Diablo color)
  ISA:
    Serial 8250: COM1, COM2, Game (joyst), Parallel (disabled)
    Soundblaster 8
  PCI:
    VGA Cirrus Logic 2MB
    Ethernet Realtek 8029

APOLLO: (Basement)
  Intel 486sx25
  6MB (2MB permanent, 4*1MB, 30pin)
  VGA
  Serial 8250: COM1
  PS2: Mouse
  Parallel: enabled/unused
  ISA:
    Adaptec AHA1542C Scuzzy:
      0: Olympus 230MB Mag-op (removable media)
      3: IBM 500MB
      Floppy: 5.25"
    Ethernet Realtek 8019

AADRA: (Comp room)
  AMD 486DX3/100
  24MB (8M 72pin + 4*4MB 30pin)
  VLB:
    VGA Cirrus Logic
    Multi-IO:
      IDE0: Master = WD 512MB; IDE1: Unused
      COM1: (33.6K external) COM2: Mouse
      Floppy: Dual 3.5"(A)/5.25"(B)
  ISA:
    3Com Etherlink III

    Vahl and Aadra share a monitor (via an A/B switch) and a keyboard
(via two DPDT switches) due to space limitations, and because only
one of my monitors displays 800 by 600 or better.

    While Aadra has DOS and Linux installations, for the forseeable
future it will need to run Windows NT almost exclusively, due to
ISP requirements. This machine is set aside for communications, so
as to minimize exposure and inconvenience in use of the other
machines. The idea is to give the net worms a machine to screw around
with that's not critical, while denying them access to - or even
knowledge of - anything else. However, it will still be necessary for
me to be able to move information back and forth between Aadra and
the other machines. So it is provided with ethernet connectivity.

    The other machines will have NT installations - which takes care
of communications except for the security aspect - but may also be
running Linux or Windows 3.1 or plain DOS. This is where I am calling
for advice:

* Set the share permissions on the other two machines to allow each
  other full access to shared volumes, but deny all access to Aadra.

* Enable mounting of Aadra's volumes via the network on either Vahl
  or Apollo - as network drives - regardless of whether the latter
  machines are running NT, Linux, Win 3.1, or DOS.

  (I know about Samba - it seems to allow access of a Linux box from
NT, but the other way around - which I would need - seems uncertain.)

  Advice? Comments? URLs?

3 responses total.

#1 of 3 by dang on Tue Jun 8 02:21:20 1999:

Linux, at least, has built in smb client access in it's kernel.  I'm not
sure how far back it goes, but it's there in my old 2.0.35 kernel. I've
never used it.  My file server runs linux with samba/nfs, so my linux
boxes connect via nfs, and my windows boxes via smb.  If I really need
to get something between linux and windows, I walk to the windows
maching and use ftp.

As far as securing your internet box, I don't have too much NT
experience in security, but I have extensive 9x experience.  In 9x, you
can individually bind the File and Printer sharing to the instances of
the protocols.  I, for example, have ADSL to Ameritech.  I have a Win 98
box running that on one side and ethernet on the other.  I don't have
the File and Printer sharing bound to the TCP/IP on the ADSL side, but I
do have it on the Ethernet side.  Thus, people inside can get the shared
drive, people on the outside cannot.  I believe NT has a similar
ability.  I do know that NT has the option of turning packet forwarding
on and off.  You definately want it off, otherwise the internet can get
at your other interface, if not the rest of the network. 

 If you really are getting people on the internet beating on your
firewall, I'd definately recommend something other than NT.  I know of
two ways to reliably crash an NT box from the outside.  I know of no
such way to crash Linux, and [Open|Net|Free]BSD is better.

#2 of 3 by drew on Tue Jun 8 21:15:37 1999:

I'm not sure I would regard my comm box as a Firewall in the traditional
sense. Probably nothing is going to happen, but I thought it prudent to
separate internet contact from everything else. The idea is to *expect* the
comm box to have security breaches, and keep on it *only* what it needs to
do its job.

As for not using NT: The ISP I connect through has the rare advantage of
charging $0 per month, with $0 setup. (They didn't even ask for a credit card
number, like I expected.) As it seems to provide unfettered packet moving,
I'd like to keep using it, since doing so eliminates a measurable drain on
a currently non-renewable resource. (They are about the latest quality of
Driven, without the $13/month cost. I shan't complain too much.)

The drawback of this is that they fund their operations with advertizing,
which means they want special software run to display ads, and their stuff
requires one of the Microsoft 32-bit OSes. The purpose of the dedicated
machine is to be the sacrificial Windows box, and also to isolate any wierd
stuff that this ISP might try.

#3 of 3 by gregb on Tue Jun 15 00:49:05 1999:

Sounds like an interesting setup you got there.  Maybe I could check it 
out sometime?  I'd love some first-hand networking exposure, albeit a 
small one.

Response not possible - You must register and login before posting.