Rusty Gadd wrote: > I am seeking advice on the security aspects of the configuration of my home > system. I have 2 PC's, connected to the internet via a firewalled NAT > router. The main PC is an i386 P4 used for general computing, the second is > an older i386 P3 which I intend to dedicate to internet banking for maximum > security. I have installed OpenBSD on the P3 with just the xfce4 window > manager and the Mozilla Firefox browser. Both PC's have separate printers. > > 1: The P3 will only ever connect to bank websites, which I have to assume > are 'clean' (I might be able to disable scripting for some sites). However > malware may conceivably infect the main PC. Am I right in assuming I need to > run PF within OBSD on the P3 to protect against possible intrusion across > the LAN? Would this be enough? Also even within this minimal installation, > are there services which I could/should disable?
See the home page of the OpenBSD website. That "Two holes in the default install in 10 years" applies directly to your situation. If you can put OpenBSD bare on the 'net "safely", I suspect your home network is no worse. :) Sure, if you run PF on that machine and have eliminated those two remaining security holes. Certainly not a bad thing. One can make a case for running PF on almost every OpenBSD machine, but administration becomes a bit more difficult for what is often minimal benefit. Your PF rules would probably just block all incoming traffic and pass outgoing traffic. Or if you want to make sure it is used only for your desired app, block everything outbound 'cept for that traffic destined to your desired locations (note: this is a lot of "fun" to maintain). If you gotta ask, don't disable things. You will more likely hurt yourself than help. In order for your "general purpose" machine to impact your OpenBSD machine you would need to be running some app on the OpenBSD machine that is vulnerable to attack. So, in general, just don't add anything to the machine you don't need, and in your case, "default install" is about right. > 2: Space for the P3 is limited and I would like to remove its printer and > print bank statements across the LAN on the main PC (running Linux, or maybe > FreeBSD in future) using CUPS. Does this introduce security risks? Some. Not much. If you end up (accidentally) running a poorly written service on your OpenBSD machine, yes you could be attacked. Even if you are initiating contact with a compromised machine, it *might* be able to send something back at you that could choke your app and cause Bad Things to happen. The sad thing is you are being more careful with your system design than your bank probably is. :-/ By the time you are running OpenBSD on your banking computer, I suspect you have shifted the primary risk to the other end of the wire...your bank is a bigger risk to your data than you are. Nick.
