Re: one way firewall?

Gordon J. Holtslander wrote:
> I have little experience with firewalls.

This doesn't sound like a firewall, it sounds like a bridge.

> I am wondering if this system can be directly networked and firewalled to a
> second system that is networked. Is it possible to get data from the Windows
> 2000 system to the second system, but prevent any data from getting from the
> second system back to the Windows 2000 system. If any data is compromised on
> the second system I don't want it to have any access to the Windows 2000
> system.

You could setup:

[Win2k] =={LAN}== [Linux-bridge] =={Internet}== ...

But then you say you don't want to have the second system to have access
to the first.

[Win2k] =={LAN}== [Linux-firewall] =={LAN}== [Linux-bridge]
=={Internet}== ...

If you further this line of reasoning, you'll never finish, because
you'll always have to add another firewall. There's no way that these
two systems can exchange data and not be connected, unless you want to
invest in an AirGap. That's a commercial product where an OpenBSD
system with no network connection will physically change connections
(through a robot) of two connected systems via a 3rd system which never
inspects or checks the data (and thus is never compromised). It's still
possible (however improbable) for a determined attacker to get past such
a thing, though.

Given that you're at the University, I suspect the major trouble you
want to avoid is the constant flood of scans and worms looking for
vulnerable Windows machines. We can do that.

> It would be most convenient if the data interchange between the windows 2000
> and the data host was smb
>
> The second system could be used to provided a flexible number of data exhange
> options - networking , cd dvd burning, memory stick etc etc,
>
> Any suggestions?

If we look at this:

[Win2k] =={LAN}== [Linux-bridge] =={Internet}== ...

The Win2k machine can't access the Internet, and the Internet can't
access the Win2k machine. If you setup the Linux machine to share out a
disk via the eth that connects to the LAN for the Win2k area, then it
can write out its results to that shared SMB drive. It shouldn't be
hard to then access the Linux bridge how you want to get at the data.

Of course the trouble here is that if you aren't proactive in your
bridge security, there's nothing to stop an automated attack from taking
over the bridge, and someone then attacking your Win2k box.

Now, there's no reason you should have that Linux bridge connected to
the Internet (indeed, no equipment should ever be directly connected,
save a firewall, IMO), so you could setup a nicer looking one like this:

[Win2k] =={LAN}== [Linux-bridge] =={MAIN LAN}== .(entire research LAN
subnet). =={MAIN LAN}== [Firewall] =={DMZ}== [Border packet filtering]
=={Internet}== ...

This gives you the packet filtering at the border and a nice DMZ, a
firewall that protects all your research machines, and the additional
security of a bridge in the event that your research LAN is compromised
(say, by someone brining in a Windows laptop from home that's infected
-- people often practice very poor data security procedures at home for
some reason). This gives you more time to detect and respond to these
issues, rather than them silently happening.

So, a simple Linux bridge is not an issue (you have to enable packet
forwarding manually on a firewall, so just don't do that), or you can
make a more secure infrastructure. Just make sure you have a good set
of policies and procedures about how things should be handled.

Also, Terry Roebuck will be back this fall and teaching CMPT 352 -- a
very good class on computer and data security, as well as other kinds of
security (physical, etc). I recommend you either attend the class or
get the whopper of a textbook and read a bit to get more information :)
Received on Tue Aug 21 11:55:29 2007