The reason he's talking about is if your DSL is plugged into your hub then your
hub to your linux box that has it's nic aliased as eth0 and eth0:0 to pretend
as though it were 2 nics you can from the outside come on on the DSL with your
IP spoofed as 192.168.0.* (or try another thing or two such as 10.200.* ect
ect) and you would have access as though you were on the local network. This
isn't too much of a problem until someone spoofs your local network, then uses
the port forwarding on your firewall to hack into a government computer or
participate on a DOS attack. Then the feds come to your front door and sieze
your equipment even though you're guilty of nothing but keeping an insecure
network. As long as your firewall faces both directions (IE only allow certain
access in and out even if they're on the local network.
In single NIC configurations you have to treat your local network as though it
were as hostile as the internet as a whole. Use your linux box as an
anuthentication domain as a prerequsite to sharing the internet connection.
You can do it, and you can make it *farily* secure, but it is definately less
secure than 2 nics.
On Fri, 18 Aug 2000, you wrote:
> Hold on. Civilme posted a message a few months ago stating that a single
> NIC with a single hub is dangerous. He said something to the effect of "a
> hacker could create a VPN on his side that effectively exposes your entire
> private network." Unfortunately, Civilme is no longer on the list. Check
> the archives. You want at least 2 NICs with 2 HUBS(or a direct link from
> NIC to DSL modem).
>
> I would assume further isolation of the email and web server would further
> protect the network. If the email or web server is hacked, the ipchains on
> the Linux router would effectively only all port 25 and 110 to leave the
> mail server. This assumes that you have stripped your router down to the
> point that it is virtually impossible to hack (nothing but ssh logins).
>
> Matthew Zaleski
>
> > -----Original Message-----
> > From: Joseph S. Gardner [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, August 18, 2000 8:33 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [expert] Stupid server question #3
> >
> >
> > Greg Stewart wrote:
> > >
> > > > Why not plug B and C into the hub also? I don't see the
> > advantage to
> > > > plugging them directly to the firewall... Consider this:
> > > >
> > > > internet -> dsl modem -> comp a -> hub -> all other computers
> > > >
> > > > You still have comp a (your firewall) between the
> > internet and all of
> > > > your machines... hooking up b and c to a is just costing
> > you more work
> > > > with getting 4 nics setup instead of 2 (all you really need).
> > >
> > > Also, depending on the age/maturity of the firewall (old
> > machine, or brand
> > > new?) you may be consuming a bit more system overhead than you
> > > need--powering and driving two extra NICs.
> > >
> > > Besides, it's easier, and involes less typing, configuring
> > your firewall to
> > > masquerade only one NIC, rather than three. You would,
> > then, also need to
> > > plan for three subnets, and port-forward accordingly. A little more
> > > confusing than having only one subnet and one internal NIC.
> > >
> > > --Greg
> > >
> > > > On Wed Aug 16, 2000 at 11:22:14AM -0400, Joseph S. Gardner wrote:
> > > >
> > > > > SOHO server setup scenerio "Firewall from hell"
> > > > >
> > > > > The object being to keep it simple but keep it secure....
> > > > >
> > > > > Assuming five computers
> > > > > comp A = firewall w/ X NIC's
> > > > > comp B = mail server
> > > > > comp C = web server
> > > > > comp D = workstation D
> > > > > comp E = workstation E
> > > > >
> > > > > also assuming I have dsl modem and one hub
> > > > >
> > > > > internet connection plugged into DSL modem.
> > > > > DSL modem plugged into comp A (firewall)
> > > > > Comp A, D & E plugged into hub
> > > > > Comp B & C plugged into comp A
> > > > >
> > > > > this would mean comp A would require 4 NIC's (DSL, comp
> > B, comp C and
> > > > > hub)
> >
> > Theres definitly something I never thought of, I guess I
> > never realized
> > that you could effectively protect the internal machines if they had a
> > "direct" connection to the "public" machine via the hub but it does
> > make some sense now that you mention it. (Head hung in shame)
> >
> > Thanks,
> > --
> > Joseph S Gardner
> >
> > Senior Designer / Technical Support
> > Kirby Co., Cleveland, OH
> > [EMAIL PROTECTED]
> >
> > The box said,
> > "Requires Windows 3.x or better",
> > so I got Linux.
> >
> > Registered Linux user #1696600
> >
--
-David Talbot
*****************************************************************************
So long as the government has the power to invade our lives, rummage through
our records, and take what it wants from our income, we will have only as
much freedom and take-home pay as the politicians condescend to let us have.
-Harry Browne Libertarian Canidate for President (www.HarryBrowne2000.org)
******************************************************************************
