On Fri, 2007-04-20 at 05:36 +0100, Andy Green wrote: > Tim wrote: > > On Fri, 2007-04-20 at 11:13 +1000, Simon Slater wrote: > >> shouldn't the samba and nfs ports be also open to others on the LAN? > > > > Only if you want them to be, not by default. There's plenty of computer > > systems which don't do any sort of file sharing between them. > Right - and if they are going to do moving files around, they do it > encrypted over ssh one way or another. If you have decided to defeat > the external firewall completely, exposing all those ports, that is not > a good situation security-wise (although IIRC this is one of the reasons > I decided never to use NFS). > > It's a bit of a false comfort to consider the local network any safer > than the WAN side... if an attacker has gained control of a machine on > the LAN then attacks and monitoring from inside the LAN can be expected. > So PCs on the LAN should not trust another box on the LAN any more > than they trust a random box from another country. > > In the same vein, if you are using strongly encrypted wireless > networks... it's encrypted alright from the outside, but all your > traffic and connections are totally visible to any other boxes inside > your network that have the same key, and typically there are indeed > other local boxes using the wireless network too. An attacker who has > owned a box that authenticates to your wireless network, or nosy person > with legit access can sniff everything you do from your box unencrypted > despite the use of strong encryption on the network, making it important > to use ssh tunnels or some other encryption that only you have the key for. > > -Andy > Thanks Andy, I hadn't really considered things that way before. At the moment we only have a few computers coming online in a small business and at home, so personnel access is quite restricted. We are only 50 yards from a high school with lots of laptop users, so I have kept clear of wireless links between our buildings for the moment until I learn more about its security. Distances are not great so running cables is not a big issue. Access to the WWW is still dial-up for the next few months, but will go ADSL soon. In the mean time I am learning how to keep things secure, in preparation for when we are connected 24/7 and have our own web server operating. Lots of learning to go yet I think. Regards Simon
