[ale] slightly OT: network structure
James P. Kinney III
jkinney at localnetsolutions.com
Wed Feb 13 19:26:19 EST 2002
If I were in your position I would insist that the box either be under
my control or not in my cabinet.The last thing you want is some bozo
MSCE to grab the wrong keyboard and use the 3-finger salute to log into
the w2k box! It will happen.
If you must put it in, have separate net connection for the w2k box that
has no connection at all (different provider is preferable) to your
other cabinet boxen. Add the w2k IP address to all your routers and
firewalls to block all access from the w2k box on every port for every
service. Nimba and code-red eat up enough bandwidth with out sharing a
router.
On Wed, 2002-02-13 at 17:05, jenn at colormaria.com wrote:
> I've been asked to put a Win2000 box that I will not manage in my cabinet at
> our co-lo facility. I'm considering putting this box in my DMZ with my
> email and DNS servers and I'm wondering if anyone who has managed a
> mixed-environment network could help me ensure that, should this machine run
> amok, it won't hurt my other boxen?
>
> I have a linux box acting as a gateway between the co-lo network and my DMZ.
> The DMZ servers all run iptables firewalls, have unnecessary services turned
> off, and are as securely set up as I can make them. In the DMZ is a
> firewall/NAT machine that protects some other servers. Is this enough to
> protect my DMZ machines should the windows box get compromised in some way?
> Should I put it on my private network and run NAT for its services? I've
> considered also replacing the initial linux gateway with a cisco or other
> brand managed switch, and attempting some sort of vlan, but I'm not
> convinced this would make things better...and be a learning curve to boot.
>
> What do you folks do in a situation like this? The admin for this machine
> has already agreed to follow the NSA guidelines for locking down a windows
> machine, and anything else I can find for him. All help is, as always,
> appreciated.
>
> TIA
> jenn
>
>
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> sent to listmaster at ale dot org.
--
James P. Kinney III \Changing the mobile computing world/
President and COO \ one Linux user /
Local Net Solutions,LLC \ at a time. /
770-493-8244 \.___________________________./
GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
This is a digitally signed message part
More information about the Ale
mailing list