Re: Do I need these ports open?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2007-04-20 at 05:36 +0100, Andy Green wrote:
> Tim wrote:
> > On Fri, 2007-04-20 at 11:13 +1000, Simon Slater wrote:
> >> shouldn't the samba and nfs ports be also open to others on the LAN? 
> > 
> > Only if you want them to be, not by default.  There's plenty of computer
> > systems which don't do any sort of file sharing between them.
> Right - and if they are going to do moving files around, they do it 
> encrypted over ssh one way or another.  If you have decided to defeat 
> the external firewall completely, exposing all those ports, that is not 
> a good situation security-wise (although IIRC this is one of the reasons 
> I decided never to use NFS).
> 
> It's a bit of a false comfort to consider the local network any safer 
> than the WAN side... if an attacker has gained control of a machine on 
> the LAN then attacks and monitoring from inside the LAN can be expected. 
>   So PCs on the LAN should not trust another box on the LAN any more 
> than they trust a random box from another country.
> 
> In the same vein, if you are using strongly encrypted wireless 
> networks... it's encrypted alright from the outside, but all your 
> traffic and connections are totally visible to any other boxes inside 
> your network that have the same key, and typically there are indeed 
> other local boxes using the wireless network too.  An attacker who has 
> owned a box that authenticates to your wireless network, or nosy person 
> with legit access can sniff everything you do from your box unencrypted 
> despite the use of strong encryption on the network, making it important 
> to use ssh tunnels or some other encryption that only you have the key for.
> 
> -Andy
> 
	Thanks Andy, I hadn't really considered things that way before.  At the
moment we only have a few computers coming online in a small business
and at home, so personnel access is quite restricted.  We are only 50
yards from a high school with lots of laptop users, so I have kept clear
of wireless links between our buildings for the moment until I learn
more about its security.  Distances are not great so running cables is
not a big issue.

	Access to the WWW is still dial-up for the next few months, but will go
ADSL soon.  In the mean time I am learning how to keep things secure, in
preparation for when we are connected 24/7 and have our own web server
operating.  Lots of learning to go yet I think.

Regards
Simon


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux