Tim wrote:
On Fri, 2007-04-20 at 11:13 +1000, Simon Slater wrote:
shouldn't the samba and nfs ports be also open to others on the LAN?
Only if you want them to be, not by default. There's plenty of computer
systems which don't do any sort of file sharing between them.
Right - and if they are going to do moving files around, they do it
encrypted over ssh one way or another. If you have decided to defeat
the external firewall completely, exposing all those ports, that is not
a good situation security-wise (although IIRC this is one of the reasons
I decided never to use NFS).
It's a bit of a false comfort to consider the local network any safer
than the WAN side... if an attacker has gained control of a machine on
the LAN then attacks and monitoring from inside the LAN can be expected.
So PCs on the LAN should not trust another box on the LAN any more
than they trust a random box from another country.
In the same vein, if you are using strongly encrypted wireless
networks... it's encrypted alright from the outside, but all your
traffic and connections are totally visible to any other boxes inside
your network that have the same key, and typically there are indeed
other local boxes using the wireless network too. An attacker who has
owned a box that authenticates to your wireless network, or nosy person
with legit access can sniff everything you do from your box unencrypted
despite the use of strong encryption on the network, making it important
to use ssh tunnels or some other encryption that only you have the key for.
-Andy
