[rescue] Putting an insecure machine on a network
Patrick Giagnocavo
patrick at zill.net
Sat Mar 18 12:28:40 CST 2006
On Sat, 2006-03-18 at 12:19, Sheldon T. Hall wrote:
> I need to connect to my network a completely insecure machine that cannot be
> secured. I want to isolate it in a way that prevents it from connecting to
> anything but one address over the Internet, and do so in a way that cannot be
> subverted without physical access to the machine.
>
> I'm on DSL, and have one fixed IP address. Behind that, a typical DSL modem
> with NAT and various port forwarding to my servers.
>
> I have a Sun SPARCclassic running Solaris 7 that has two NICs. One is on my
> internal network, the other is unused. Is there a way I can activate the
> second NIC and "lock" it in a way that any machine connected to it only has
> access to one IP address on the Internet, and no access to the Sun itself or
> to any machine on my network?
IPFilter plus a non-routable IP on the insecure machine, plus (optional)
an SSH tunnel that goes from Internet machine to insecure.
e.g.
Router: 192.168.1.1, netmask 255.255.255.0
Solaris:
NIC 0: 192.168.1.10, netmask 255.255.255.0
NIC 1: 10.1.1.193 netmask 255.255.255.192 or something similarly oddball
IPFilter set up appropriately, blocking all access except to the
external IP
static ARP entry of insecure's MAC address into /etc/ethers
Insecure machine: 10.1.1.194, netmask 255.255.255.192
crossover cable from insecure to NIC 1
The ssh tunnel from Internet machine is optional. IIRC you would set
sshd_config to AllowTcpForwarding=yes and GatewayPorts=yes on the
Solaris box, then use the -R and -L port forwarding commands in
combination to allow tunneled traffic from the remote IP to pop out on
the 10.1.1.x network.
Caveats:
if someone gets root on your Solaris box
if someone can sniff traffic on your local switch they can probably get
the data (by rooting another machine or your little DSL router)
double-NATing may or may not cause an issue and needs to be tested
if all you need is connections initiated by insecure to the other
machine this may be overkill
--Patrick
More information about the rescue
mailing list