Internet Explorer possible to use securely on heterogeneous LAN?
From: Chris Carlen (crobc_at_BOGUSFIELD.earthlink.net)
Date: Thu, 01 Jul 2004 19:06:10 -0700
I am asking this here because have a LAN with two Linux boxes, Suse 8.1
not particularly well patched. I never bother since the LAN is trusted,
and the firewall takes care of keeping the riffraff out. I used to use
a Linux firewall router but now switched to a Linksys WRT54G with the
wireless turned off, and the settings as tight as possible. I don't run
software firewalls on the LAN Linux boxes since they are running various
I am resonably confident in the security of this setup.
However, we run Windows 2000 on two VMware's on the Linux boxes on the
LAN, and one of them my wife wants to use to access a Thai TV website
that only works with IE, and worse yet uses ActiveX controls. I
discovered this after turning them off in IE, and the site wouldn't work.
But as I understand from recent advisories, even turning off everything
in IE, it is still an insecure, bug-ridden piece of junk.
I want to be able to use IE for my wife's enjoyment, but not compromise
the security of my LAN/internet separation.
What are my options?
Before we ran things very loosely, with weak passwords, the same
passwords used all over the place, and admin privileges on the user
accounts of the Win2k clients. The LAN Linux boxes have NFS, ftp, and
telnet servers running.
Now I have made all passwords strong, changed the Win2k users to
restricted group so they cannot install software on the machines, and I
had my wife create a new Win2k user account for running IE only. That
account doesn't have a corresponding Linux account, so that the Linux
Samba server that shares the Linux files to the Win2k VM won't be
accessible to the IE user account.
Summary: Strong PWs, IE user account can't install software on Win2k
VM, and can't access Linux filesystem.
Uh-oh, but there's a problem. The LAN servers aren't protected from the
Win2k VMs. The Win2k can snoop net traffic and pick up plain text
telnet passwords. I could shut down telnet servers, and use only ssh.
But what about the NFS servers? Are they a risk? I absolutely need
those. Without, I might as well not have a LAN.
There is another possibility I am considering: Put the machine to be
used for IE browsing on a DMZ. But I don't understand enough about how
the Linksys router implements the DMZ. I still want to firewall the DMZ
strongly. And I want the LAN to be firewalled against the DMZ just as
it is against the internet. As I understand a DMZ, this would be true.
But I am not sure if the DMZ can be locked down just the same as the LAN.
The requires an additional computer, but we are planning to get another
so we could use the oldest one just as a Win2k media surfing box.
Any other tips, conceptual education, and commentary would be read with
-- _____________________ Christopher R. Carlen firstname.lastname@example.org Suse 8.1 Linux 2.4.19