Kory Krofft wrote: > 1. 1st line of defense is of course my Dachstein firewall. It has no > additional packages other than serial.o loaded. I do have a couple of > ports forwarded to a game server but the server is only on when we are > using it.
Ok. That's better than their being always on. A DMZ for your servers would be safer, but is not necessary. > 2. All the machines on the internal net are Win98 systems. I have > unbound TCP/IP from file and printer sharing and use Netbeui for those > tasks. No problem with that because ports 13[789] are blocked by DF and there's no route from DF to your internal LAN. > My assumption is that the lrp box would be tough to copmpromise but > if it was cracked or root kitted some way a cracker would still not > be able to do much to my network once logged in to the firewall. If the craker got root, they could attack your internal computers at will. Don't let anyone from the Internet have access to the LEAF box. Don't let sshd or telnet or anything listen for new connections on the external nic. Then you are very safe from external attacks. > So what am I missing? What sorts of havoc could a properly motivated > cracker cause? Yes, there's no end to CERT advisories about M$ products like IE5, IE6, IIS, and Outlook. Someone exploiting one of those holes could gain access to your Win98 boxes with the rights of the user, and thus access you whole internal net and the shares that are open. Run Mozilla or Opera or Netscape, instead, and don't use Outlook or IE. Always apply the critical updates from M$ Update. AOL Instant Messanger has a big hole, too. Don't run snmp :-) Regards, Matthew > Thanks for the sanity check, > Kory Krofft > > _______________________________________________ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
