[ale] slightly OT: network structure

James P. Kinney III jkinney at localnetsolutions.com
Wed Feb 13 22:43:18 EST 2002


You can, if you are so inclined, do a thorough packet examination on all
stuff going TO the w2k box. Examining payloads is a PIA, but it can be
used to kill some common attacks. Unless you upstream provider is
filtering for code red and friends, you're probably already getting
pounded.

If you have to do <shudder> administration <laugh> on the w2k box, plonk
in VNC and open a port only allowing access from your box. At least you
can reboot the $%#@ thing when it gets hit.

Did we talk about the billing rate for this box? It should be variable
based on:
1. bandwidth consumption due to infections.
2. frequency of network related problems due to infections.
3. general mood and temperament of the *NIX admin in the same cabinet.
4. depth of pockets of w2k box owner. If they can afford the liability
of a w2k server, they can pay for the headaches.


On Wed, 2002-02-13 at 20:16, jenn at colormaria.com wrote:
> The Nimda/code-red/worm stuff is what I'm most afraid of...
> Said bozo won't have any physical access to the cabinet, at least, and he
> will be subject to frequent scans by nmap and nessus to make sure he's not
> got any nasty ports open. As far as I know, this box will be running web and
> mail services, so we've got many potential victims right there...IIS,
> ColdFusion scripts, Ipswitch Imail...yee haw.  And because of no physical
> access...that means some sort of remote management through who-knows-what
> sort of tool.
> 
> I have a single connection to the co-lo network (hence, the outside world),
> and we don't have the budget to get anything more than that, so he has to
> live behind my router somehow.  
> 
> This is where I get confused however, being only somewhat knowledgable about
> linux routing and not at all about using "real" managed switching appliances
> and how they work.  I can and will block his IP on all of my DMZ boxen, but
> that doesn't solve the potential bandwidth problem.  I know I can't do
> anything to limit his bandwidth behind the linux router, because it plugs
> into a cheap unmanaged switch that can't limit traffic on single port.  Can
> a Cisco (or other brand) do this? Would that be enough to protect me?  What
> about another NIC in the linux router devoted entirely to him? Would that
> accomplish the same thing?  Is that even possible?
> 
> Sorry for the denseness. Network management continues to baffle me..the more
> I learn about it, the less I know. :(
> 
> Thanks again,
> 
> jenn
> 
> > If I were in your position I would insist that the box either be under
> > my control or not in my cabinet.The last thing you want is some bozo
> > MSCE to grab the wrong keyboard and use the 3-finger salute to log into
> > the w2k box! It will happen.
> > 
> > If you must put it in, have separate net connection for the w2k box
> > that has no connection at all (different provider is preferable) to
> > your other cabinet boxen. Add the w2k IP address to all your routers
> > and firewalls to block all access from the w2k box on every port for
> > every service. Nimba and code-red eat up enough bandwidth with out
> > sharing a router.
> > 
> > On Wed, 2002-02-13 at 17:05, jenn at colormaria.com wrote:
> >> I've been asked to put a Win2000 box that I will not manage in my
> >> cabinet at our co-lo facility.  I'm considering putting this box in my
> >> DMZ with my email and DNS servers and I'm wondering if anyone who has
> >> managed a mixed-environment network could help me ensure that, should
> >> this machine run amok, it won't hurt my other boxen?
> >> 
> >> I have a linux box acting as a gateway between the co-lo network and
> >> my DMZ. The DMZ servers all run iptables firewalls, have unnecessary
> >> services turned off, and are as securely set up as I can make them. 
> >> In the DMZ is a firewall/NAT machine that protects some other servers.
> >>  Is this enough to protect my DMZ machines should the windows box get
> >> compromised in some way?  Should I put it on my private network and
> >> run NAT for its services?   I've considered also replacing the initial
> >> linux gateway with a cisco or other brand managed switch, and
> >> attempting some sort of vlan, but I'm  not convinced this would make
> >> things better...and be a learning curve to boot.
> >> 
> >> What do you folks do in a situation like this?  The admin for this
> >> machine has already agreed to follow the NSA guidelines for locking
> >> down a windows machine, and anything else I can find for him.  All
> >> help is, as always, appreciated.
> >> 
> >> TIA
> >> jenn
> >> 
> >> 
> >> ---
> >> This message has been sent through the ALE general discussion list.
> >> See http://www.ale.org/mailing-lists.shtml for more info. Problems
> >> should be  sent to listmaster at ale dot org.
> > -- 
> > James P. Kinney III   \Changing the mobile computing world/
> > President and COO      \          one Linux user         /
> > Local Net Solutions,LLC \           at a time.          /
> > 770-493-8244             \.___________________________./
> > 
> > GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> > <jkinney at localnetsolutions.com>
> > Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 
> 
-- 
James P. Kinney III   \Changing the mobile computing world/
President and COO      \          one Linux user         /
Local Net Solutions,LLC \           at a time.          /
770-493-8244             \.___________________________./

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 



 This is a digitally signed message part




More information about the Ale mailing list