Do I need these ports open?
Simon Slater
pyevet at aapt.net.au
Fri Apr 20 10:47:08 UTC 2007
On Fri, 2007-04-20 at 05:36 +0100, Andy Green wrote:
> Tim wrote:
> > On Fri, 2007-04-20 at 11:13 +1000, Simon Slater wrote:
> >> shouldn't the samba and nfs ports be also open to others on the LAN?
> >
> > Only if you want them to be, not by default. There's plenty of computer
> > systems which don't do any sort of file sharing between them.
> Right - and if they are going to do moving files around, they do it
> encrypted over ssh one way or another. If you have decided to defeat
> the external firewall completely, exposing all those ports, that is not
> a good situation security-wise (although IIRC this is one of the reasons
> I decided never to use NFS).
>
> It's a bit of a false comfort to consider the local network any safer
> than the WAN side... if an attacker has gained control of a machine on
> the LAN then attacks and monitoring from inside the LAN can be expected.
> So PCs on the LAN should not trust another box on the LAN any more
> than they trust a random box from another country.
>
> In the same vein, if you are using strongly encrypted wireless
> networks... it's encrypted alright from the outside, but all your
> traffic and connections are totally visible to any other boxes inside
> your network that have the same key, and typically there are indeed
> other local boxes using the wireless network too. An attacker who has
> owned a box that authenticates to your wireless network, or nosy person
> with legit access can sniff everything you do from your box unencrypted
> despite the use of strong encryption on the network, making it important
> to use ssh tunnels or some other encryption that only you have the key for.
>
> -Andy
>
Thanks Andy, I hadn't really considered things that way before. At the
moment we only have a few computers coming online in a small business
and at home, so personnel access is quite restricted. We are only 50
yards from a high school with lots of laptop users, so I have kept clear
of wireless links between our buildings for the moment until I learn
more about its security. Distances are not great so running cables is
not a big issue.
Access to the WWW is still dial-up for the next few months, but will go
ADSL soon. In the mean time I am learning how to keep things secure, in
preparation for when we are connected 24/7 and have our own web server
operating. Lots of learning to go yet I think.
Regards
Simon
More information about the fedora-list
mailing list