Re: Secured Linux box for Windows access

From: N407ER (n407er_at_myrealbox.com)
Date: 02/12/04

  • Next message: Stephen C. Gay: "Update: SMB enumation in Win2000/03"
    Date: Wed, 11 Feb 2004 20:34:41 -0500
    To: jbloggs000@yahoo.com
    
    

    Matthew White wrote:
    > Firstly I'd like to thank those people who responded to my questions
    > (both on and off the list - particularly Richard's :)
    >
    > Briefly the responses I received centred around the following:
    > * Remote admin via OpenSSH
    > * Client access via WinSCP, sftp etc...
    >
    > Having done some research into them since, they do look good, however I do have
    > one other requirement I didn't mention that may change things.
    >
    > Because some of the client machines are similar to public kiosks, and
    > some of the data on the server is important to some users I'd really like to
    > avoid the necessity for users to drag and drop / copy / ftp to the local
    > machine. On the client side, I can automatically remove temp files, harden up
    > Word (as much as is possible of course) and generally look after the security
    > of the client box but all of that is moot if the user forgets to copy the file
    > back, or to delete it after copying it back. Therefore if possible I'd like to
    > have the windows system access it directly via a UNC share (hence the question
    > about samba and OpenVPN) where it saves it back to the server each time. Is
    > this possible? What do I need to do to achieve this objective?
    >
    >
    >
    > One last thing. Since the suggestions came in about which version of Linuix to
    > use, I've downloaded (much to my network admins' chagrin) and setup a
    > few different versions already. I admit that I'm fine with the concepts but am
    > struggling with the Linux side and its configuration. Where would you guys
    > suggest I look for information on setting up a Linux server - preferably
    > starting with an overview then moving to more detail (eg "First you need to
    > secure your network connection, passwords, updates, etc. To harden the
    > password use MD5 --> To do that go to /etc/..."). Are there any good websites
    > or newsgroups you'd suggest?

    So first, it is possible to use a VPN to secure your shares as tehy go
    across the Internet. The two major VPN implementations for Linux are
    FreeS/WAN (recommended for 2.4 kernels) and the kernel implementation
    itself, available in 2.6 by default and as a patch for 2.4. I've got
    little experience between the two, but my reading seems to imply that
    the 2.6 code is far superior (I've heard many complaints about the code
    quality in FreeS/WAN). That said, FreeS/WAN is clearly
    production-usable, and the documentation is far more complete than that
    for the new kernel implementation.

    Your options are probably to either set up a VPN client on each of the
    client Windows machines, or to set up a VPN tunnel between the router
    the Windows clients are behind and your server. The latter is more
    efficient and easier to set up, but only if you have a router capable of
    this (VPN-capable hardware routers are available for as little as USD$300).

    Once you have this set up, on the server you will see a different
    interface representing the IPSec tunnel. If you set Samba to only listen
    on that interface, only people over the tunnel will be able to access
    it. You are essentially done (you probably want to secure the Samba
    users, still, so that not just anybody behind the VPN gateway on the
    other end can access the share); the Samba traffic going over the
    Internet will (assuming you have chosen ESP in your IPSec tunnel) now be
    encrypted so nobody can tamper with it or read it.

    As for securing Linux, there are many good Linux howtos in general at
    tldp.org; linuxsecurity.org and similar websites, and many vendors have
    distribution-specific guides to security. There are also some good
    scripts to help secure an install, like BastilleLinux, which changes
    settings to make it more secure by default. There are also many books on
    the subject, and it's really far too complex a topic to discuss here.

    Good luck.

    ---------------------------------------------------------------------------
    Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

    Protect your network with the comprehensive security solution that
    integrates six applications for ease of use and lower TCO.

    Firewall - Virus protection - Spam protection - URL blocking - VPN
    - Wireless security.

    Download 30-day evaluation at:
    http://www.astaro.com/php/contact/securityfocus.php
    ----------------------------------------------------------------------------


  • Next message: Stephen C. Gay: "Update: SMB enumation in Win2000/03"

    Relevant Pages

    • Cicso Linux VPN Client problems
      ... I am relatively new to Linux ... We are attempting to establish a VPN to a client's system. ... client has a Cisco PIX Firewall 515 and I have been attempting to ... Copyright 1998-2002 Cisco Systems, ...
      (RedHat)
    • Re: SBS 2008 - Firewall Appliance?
      ... Cisco ASA 5510 Appliance Content Security Edition Bundle ... 250 IPsec VPN peers, ... But "firewall services" are simply listed as included. ... If you don't need AV or VPN then this is overkill....and I recommend running client AV on a server that can handle monitoring anyways....not using an edge device as the client AV manager...but that's another conversation. ...
      (microsoft.public.windows.server.sbs)
    • RE: Secure remote access for users
      ... security it with RSA's SecurID at the most and an SSL cert at the VERY ... Cisco VPN Client 3.6x for the client software with like ... Network Engineer / Owner ...
      (Security-Basics)
    • Re: Routing and Remote Access - Authentication Failure
      ... because the real client computer can tunel through it's local NAT router, ... travel the Intrenet, join the VPN and access the server, when this feature ... Their security system decided that the server was trying to steel ...
      (microsoft.public.windows.server.networking)
    • Re: Linux client in Windows Domain (Security Advice)
      ... I have a windows environment and all clients are XP controled with strict security measures controled via group policy etc. ... one of the other IT guys has a liux client that sits out side most of these systems. ... (You've probably worked out I'm a windows man with very basic Linux experience. ...
      (microsoft.public.windows.server.sbs)