Hello,
The method we use for some security on our local LANs is described here:
http://www.acornnmr.com/appnotes/security.htm
If you need more help let me know and I will try to expand of the
issues on the web page.
woody_at_acornnmr.com
Wei Li wrote:
> Dear Dr. Conover,
>
> I think you have a very good point here. I am currently trying to set up a
> Linux box as a firewall between my SGIs, Suns and Windows and the outside
> network with Redhat 7.2 on a PC. As you said, it really needs a lot of
> technical expertise to do it correctly. So I am just wondering if
> I can get
> some help from you, especially how to configure the NAT and the IPTABLES.
>
> I already install Redhat 7.2 on the PC, and the PC has two ethernet card
> (eth0 and eth1). I also have the 8-port hub. My workstations all
> have normal
> IP addresses, and I sort of know that I have to set up some special IP
> addresses for the internal network and other stuff.
>
> Would it be possible that you send some reasonably detailed
> instructions on
> how to configure the Linux and what I should do with the IP
> addresses on my
> Suns and SGIs?
>
> Thank you very much and I hope that you can help me out.
>
> Best regards
>
> Wei Li
>
> ----- Original Message -----
> From: "Woodrow Conover" <woody_at_acornnmr.com>
> To: <ammrl_at_chemnmr.colorado.edu>
> Cc: <PeterL_at_raf.liu.se>
> Sent: Thursday, March 14, 2002 11:27 AM
> Subject: Windows, Linux and security
>
>
> > Hello,
> >
> > Peter Lundberg wrote:
> > > Considering that manufacturers of MR systems slowly appear to
> > > move from unix to windows, any opinions on any alterations (potential
> > > or real) of the systems reliability, performance, and in particular
> > > sensitivity to virus-infections.
> >
> > As on a Unix or a Linux system, the ways someone on the internet can
> > affect a PC running Windows is directly proportional to the services
> > that are running on the Windows box. It is most secure if it is not
> > connected to a LAN that is connected to the internet. However, that
> > configuration is not as useful as one which is connected to the
> > internet.
> > So, to be more secure don't run Outlook or other mail programs on the
> > PC running Windows which is running the spectrometer. It is best
> > to go through the list of services running and stop as many as possible
> > for your uses, such as: Java, Windows scripting, all mail clients, any
> > web or ftp servers and etc.
> >
> >
> > > I suspect that the manufacturers are not really taking the
> > > Windows virus threat all that seriously. Am I wrong?
> >
> > I think everybody is taking virus threats seriously, but the trouble
> > lies in the compromise between security and utility in a world that is
> > more networked every day. It is not a Windows specific thing. It is
> > a wonder that with all the NMR instruments being run today by Unix
> > boxes and Windows that more are not compromised than what we see
> > today.
> >
> >
> > > BTW, I don't understand why not Linux is more widely used (or is it?).
> >
> > JEOL uses Linux and not Windows. We use Linux a lot at Acorn NMR but
> > for server stuff. All of our web, ftp and mail is on Redhat Linux 7.2.
> > We have not yet found that Star Office and KDE Office applications
> > to be as easy to use as Microsoft Office applications. There is also
> > problems exchanging files from these Linux applications with a world
> > running Windows. In addition, there are a LOT of other applications
> > available for Windows that are not available on Linux.
> >
> > The problem here is that Linux is not easy to use. While it is getting
> > better, you need a LOT MORE technical expertise to configure a working
> > Linux box and even more to configure a secure working Linux box. A
> > common
> > mistake is to believe that you can set up a Linux box in what you think
> > is a secure manner and then just leave it alone. NOT TRUE !!! You need
> > to
> > monitor the logs and watch for intrusion attempts at least daily. Our
> > systems
> > often have more than 100 attempted intrusions each day. So what we have
> > done is set up a very tight Linux box with IPTABLES that sees the
> > outside
> > world and creates a more secure LAN with NAT where our main PCs running
> > Windows, Macintosh and Linux hide. The NAT service means they have full
> > access to the internet and the IPTABLES stuff is configured to DROP
> > access
> > to all services we don't specifically allow. As it is dropping incoming
> > connection attempts it logs them. Daily we inspect the logs and usually
> > find many access attempts not allowed in. Often these attempts come from
> > IP address that are repeat offenders, so we add these IP addresses to
> > our badguys list in the IPTABLES and never hear from them again. We
> > would
> > be happy to share our IPTABLES script with anyone interested and there
> > are
> > many example IPTABLES configurations on the internet.
> >
> > I would recommend that any NMR instrument running Windows (or other OS)
> > be
> > put behind a Linux box for additional security. This Linux box needs to
> > be
> > monitored daily in the logs and with security programs like Tripwire.
> > When
> > problems are found, and there will be problems, rapid action needs to be
> >
> > taken to address the problem areas. This is and ongoing never-ending
> > and
> > complex job. The job can, however, be automated somewhat by scripts, but
> > the scripts can only aid and not replace human visual inspection.
> >
> > woody_at_acornnmr.com
> >
> >
> >
>
Received on Fri Mar 15 2002 - 10:20:01 MST