On Thu, Aug 23, 2007 at 12:13:45PM -0600, Gordon J. Holtslander wrote:
> On August 21, 2007 2:57:47 pm Dave Hall wrote:
> > On Tue, Aug 21, 2007 at 02:28:56PM -0600, Chris Friesen wrote:
> > > Dave Hall wrote:
> > > >It sounds like you just want to isolate the instrument's computer from
> > > > the big band network since it can not be properly managed.
> > > >
> > > >Why not just add a second network card to the machine that you will be
> > > >using to fetch the data and connect the two with a cross-over cable.
> > >
> > > This leaves the system at risk to a compromised "data fetching" machine.
> > > If that's an acceptable risk, then fine. My earlier suggestion was to
> > > add a filtering bridge in addition to this proxy machine.
> >
> > How is the risk to the data any different? Are the additional layers of
> > security worth the cost and effort relative to the risk?
> >
> > What Gordon described sounds like a situation which is quite common in many
> > of the research labs around here. Various instrumentation is controlled by
> > older Windows boxes which have a high risk of breaking due to vary narrow
> > compatibility requirements. The desktop guys tell me there are quite a few
> > Windows 98 boxes controlling instrumentation that are not networked. The
> > downside is there are no virus scanner updates so they get hit by viruses
> > on memory sticks used to collect data. Gordon, is this the case?
>
> Dave us correct - the instrument demands that the operating system be
> configured in a very specific way that can not be changed. This means no
> system patches can be applied to it, leaving it very vulernerable. It can't
> be safely networked easily.
>
> While this makes the instument work very well it poses many compromises on how
> the data created on the computer by this instrument can be accessed. The
> only safe way data can be moved off the system is by burning the data to CD
> DVD. The users end up creating enourmous numbers of disks. Many want to use
> usb memory keys - but I think that poses a risk.
Yes, definitely avoid the memory stick (or floppy/Zip/etc) options. That
causes our support folks no end of grief since the non-networked systems
don't get their virus scanners updated.
>
> I am looking for a way of safely and easily getting the data from the
> vulnerable system to a system that can be networked and have up to date
> anti-virus information. This system could then be used to support a wide
> range of data transfer technologies - networking, memory keys, memory cards,
> CD's DVD's etc etc ...
Yup, just add a second network card to this so you have one card facing
the campus network, DHCP'd with a 128.l23 address. On the other card,
statically assign it a 192.168.x.y address. Connect it to the instrument
machine with a cross-over cable. Disable IP forwarding on the secure system.
Instrument Host:
IP: 192.168.255.253
Netmask: 255.255.255.252
Gateway: 192.168.255.254
Data Host (2nd NIC):
IP: 192.168.255.254
Netmask: 255.255.255.252
[instrument host]----[data host]----{campus network}
You can give me a shout at 6156 if you want some help with specifics.
Received on Thu Aug 23 13:39:09 2007
This archive was generated by hypermail 2.1.8 : Thu Aug 23 2007 - 13:39:17 CST