[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Might be off topic. Are computers with168.192.x.x safe from Internet?
- Subject: Re: [cobalt-security] Might be off topic. Are computers with168.192.x.x safe from Internet?
- From: shimi <shimi@xxxxxxxxxxxxxxxx>
- Date: Sat, 2 Jun 2001 14:46:52 -0700 (PDT)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Sat, 2 Jun 2001, jwk at Zone Alpha wrote:
>
> ----- Original Message -----
> From: shimi <shimi@xxxxxxxxxxxxxxxx>
>
> > TO MAKE SURE, you have to set YOUR ROUTER, that is, the one plugged to the
> > switch, to accept all packets destinated to you (or, to even block some of
> > them, for instance Netbios and stuff) - and all the others to be dropped.
> >
> > That way you can ensure that no packets will arrive to your 192.168 boxes.
> >
> > HTH,
> >
> > - shimi.
>
> So, if I set up the router filtering rules so that it will accept traffics
> only to my static IPs and block all others, will my private-IP-only machines
> be safe from intruders? Or could you perceive any possible way someone can
> perhaps hack into public machines with telnet or ftp server and access
> internanal Windows NT server? Even with firewalls, if some hacker still
> gets into public machines, are internal machines with only private IP
> addresses vulnerable or are they ABSOLUTELY safe? This question has been
> bothering me and has forced me to keep the public and private segments
> physically separated to date.
>
> James Kim
Direct access through the router will be indeed blocked.
If someone brakes into a system that has access to one of your local ones,
yes, he could access them too.
In order that NO matter what happens, your 192.168.* should stay
untouchable, the truth solution would be a NAT firewall, bascailly a lame
linux box, that has NO PORT open AT ALL (and thus untouchable, no matter
what) and an IPChains rule to MASQ any packets coming from 192.168.0.0/24
that way they have full internet out, and nobody can get in I have no
"grade" or anything about security, so take my words "as is".
basically i am correct if it's not possible to hack into a machine without
listening ports. if I am wrong - I stand to be corrected.
HTH,
- shimi