Security Basics mailing list archives

Re: Secured Linux box for Windows access

From: N407ER <n407er () myrealbox com>
Date: Wed, 11 Feb 2004 20:34:41 -0500

Matthew White wrote:

Firstly I'd like to thank those people who responded to my questions
(both on and off the list - particularly Richard's :)

Briefly the responses I received centred around the following:
* Remote admin via OpenSSH
* Client access via WinSCP, sftp etc...

Having done some research into them since, they do look good, however I do have
one other requirement I didn't mention that may change things.

Because some of the client machines are similar to public kiosks, and
some of the data on the server is important to some users I'd really like to
avoid the necessity for users to drag and drop / copy / ftp to the local
machine. On the client side, I can automatically remove temp files, harden up
Word (as much as is possible of course) and generally look after the security
of the client box but all of that is moot if the user forgets to copy the file
back, or to delete it after copying it back. Therefore if possible I'd like to
have the windows system access it directly via a UNC share (hence the question
about samba and OpenVPN) where it saves it back to the server each time. Is
this possible? What do I need to do to achieve this objective?



One last thing. Since the suggestions came in about which version of Linuix to
use, I've downloaded (much to my network admins' chagrin) and setup a
few different versions already.  I admit that I'm fine with the concepts but am
struggling with the Linux side and its configuration. Where would you guys
suggest I look for information on setting up a Linux server - preferably
starting with an overview then moving to more detail (eg "First you need to
secure your network connection, passwords, updates, etc. To harden the
password use MD5 --> To do that go to /etc/..."). Are there any good websites
or newsgroups you'd suggest?

So first, it is possible to use a VPN to secure your shares as tehy goacross the Internet. The two major VPN implementations for Linux areFreeS/WAN (recommended for 2.4 kernels) and the kernel implementationitself, available in 2.6 by default and as a patch for 2.4. I've gotlittle experience between the two, but my reading seems to imply thatthe 2.6 code is far superior (I've heard many complaints about the codequality in FreeS/WAN). That said, FreeS/WAN is clearlyproduction-usable, and the documentation is far more complete than thatfor the new kernel implementation.

Your options are probably to either set up a VPN client on each of theclient Windows machines, or to set up a VPN tunnel between the routerthe Windows clients are behind and your server. The latter is moreefficient and easier to set up, but only if you have a router capable ofthis (VPN-capable hardware routers are available for as little as USD$300).

Once you have this set up, on the server you will see a differentinterface representing the IPSec tunnel. If you set Samba to only listenon that interface, only people over the tunnel will be able to accessit. You are essentially done (you probably want to secure the Sambausers, still, so that not just anybody behind the VPN gateway on theother end can access the share); the Samba traffic going over theInternet will (assuming you have chosen ESP in your IPSec tunnel) now beencrypted so nobody can tamper with it or read it.

As for securing Linux, there are many good Linux howtos in general attldp.org; linuxsecurity.org and similar websites, and many vendors havedistribution-specific guides to security. There are also some goodscripts to help secure an install, like BastilleLinux, which changessettings to make it more secure by default. There are also many books onthe subject, and it's really far too complex a topic to discuss here.


Good luck.


---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------

Current thread:

Secured Linux box for Windows access Matthew White (Feb 02)
- Re: Secured Linux box for Windows access Patrick Benson (Feb 03)
- Re: Secured Linux box for Windows access N407ER (Feb 03)
- <Possible follow-ups>
- Re: Secured Linux box for Windows access Matthew White (Feb 11)
  - Re: Secured Linux box for Windows access N407ER (Feb 12)