DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 22nd June 2008
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 774
Thanked 36 Times in 32 Posts
Default Remote Access to File Server

I am a hobbyist so I was wondering if you system administrators could explain me something regarding the remote access to file server.

Suppose that I want to run full blown network with the following topology

internet <--> PF1<--> DMZ<-->PF2<-- LAN zone

In which my file server as well as DNS server are in the LAN zone and completely invisible from the internet. Ideally I am thinking that PF2 rules should allow only access to people from LAN zone to internet via the Squid proxy in DMZ as well as fetching mail from the mail server which is also in DMZ
and nothing else. The PF2 blocking policy ideally should be block all.

Suppose now I am user and want to access my files on the file server in the LAN zone from my home which is outside LAN zone actually Internet on the above diagram. Of course File Serever doesn't run OpenSSH and more over PF2 would block access to it anyway. Let suppose that I put another machine in DMZ which is now my SSH gateway for files.

How can I make visible files on the FileServer to a user which is log into such
SSH gateway.
I have couple ides in mind.

One is having the second copy of files on SSH gateway machine (sort of like secondary file server) and then running remote syn from the File Server which is in LAN zone (that would of course require refining PF2 rules which will allow packages to pass into LAN zone file server after such remote sync
is initialized from the LAN zone itself).

The another scenario is to simply open SSH port on PF2 and to use Gateway
SSH machine from the DMZ to redirect the traffic to file server. In this case scenario File Server from the
LAN zone will allow SSH but only from the specific machine i DMZ zone. Nothing else.


What do you people actually do.

The above thoughts are result of my attempts to fully understand topology of the network of the University where I work.

LAN zone are of course user terminals with faculty and student accounts. Those accounts actually reside on File Server which runs NFS only visible from LAN zone. Besides File Server (NFS) that LAN zone contains DNS and Printer/Scanner servers which are invisible from the internet.

DMZ consist of Mail Server, WWW server, Squid, Snort, and I believe the machine which is dedicated SSH gateway access to accounts from outside.

Thanks a LOT
OKO


P.S. By the way all machines in the above diagram are OpenBSDs including Desktops/Terminals

Last edited by Oko; 22nd June 2008 at 06:27 PM.
Reply With Quote
  #2   (View Single Post)  
Old 22nd June 2008
ai-danno's Avatar
ai-danno ai-danno is offline
Spam Deminer
 
Join Date: May 2008
Location: Boca Raton, Florida
Posts: 284
Thanked 35 Times in 31 Posts
Default

I would use the built-in FTP server (comes with OpenBSD generic installation) on your file server, and open port 23 on your firewalls.

Assigning specific user access will help to secure that, and that can be easily linked to your current system users with fun stuff like RADIUS.

BTW, OpenSSH isn't installed on your OpenBSD fileserver? Really?
__________________
Network Firefighter
Reply With Quote
  #3   (View Single Post)  
Old 22nd June 2008
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 774
Thanked 36 Times in 32 Posts
Default

Quote:
Originally Posted by ai-danno View Post
I would use the built-in FTP server (comes with OpenBSD generic installation) on your file server, and open port 23 on your firewalls.

Assigning specific user access will help to secure that, and that can be easily linked to your current system users with fun stuff like RADIUS.

BTW, OpenSSH isn't installed on your OpenBSD fileserver? Really?
I meant it is not started or if you like disabled since the default installation will start it. Common, I am not that dumb

Can't you do the same thing by opening port 22 (or even better some non-sense like 25608 which will map into 22) and then actually use built in OpenSSH server built in on LAN file server? I like the idea of RADIUS though very much.

Thanks for the answer.
OKO

Last edited by Oko; 22nd June 2008 at 07:38 PM.
Reply With Quote
  #4   (View Single Post)  
Old 22nd June 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,708
Thanked 214 Times in 189 Posts
Default

You don't say what type of fileserving you wish to do; NFS or CIFS. But I don't think it matters.

Both are considered insecure; even if authentication and authorization are well controlled, these technologies transfer unencrypted data blocks. If you don't have complete end-to-end control of all access to the network, this is insecure.

The best practice is to implement a VPN for filesharing over insecure networks.
Reply With Quote
  #5   (View Single Post)  
Old 22nd June 2008
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 774
Thanked 36 Times in 32 Posts
Default

Quote:
Originally Posted by jggimi View Post
You don't say what type of fileserving you wish to do; NFS or CIFS. But I don't think it matters.

Both are considered insecure; even if authentication and authorization are well controlled, these technologies transfer unencrypted data blocks. If you don't have complete end-to-end control of all access to the network, this is insecure.

The best practice is to implement a VPN for filesharing over insecure networks.
Well LAN file server seen from the machines in the LAN zone is NFS and completely unprotected. All machines in the LAN zone are considered 100% trusted and they can do anything between each other.

My question is what is the best way to enable access on the files stored on
the HDD of such a file server from the machine which is not in LAN, not even in DMZ zone but somewhere out on the internet. This is typical situation when the user wants to log in from the Internet and get some files from his account.

Yes VPN (IPSec) is also a solution (IPSec is probably the best solution) and this is what big guys from the central university computer center are doing. Although they use CISCO 3000 server which is NOT
very secure but that is another matter.

Last edited by Oko; 22nd June 2008 at 11:27 PM.
Reply With Quote
  #6   (View Single Post)  
Old 22nd June 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,708
Thanked 214 Times in 189 Posts
Default

OpenBSD provides four VPN choices: IPSec and OpenSSH are included, OpenVPN and Poptop (a PPTP implementation) are available as packages.
Reply With Quote
  #7   (View Single Post)  
Old 22nd June 2008
ai-danno's Avatar
ai-danno ai-danno is offline
Spam Deminer
 
Join Date: May 2008
Location: Boca Raton, Florida
Posts: 284
Thanked 35 Times in 31 Posts
Default

Well, you could run FTP, but if security is paramount (and I suppose it should be), then Secure FTP (SFTP) would work well, too, as it encrypts its communications. If your outside clients use Windows, then WinSCP is a good SFTP application for that platform to access your fileserver securely.

The nice thing about an SFTP solution is you get a similar experience to FTP, but it's secure, and without a major investment in time installing/configuring/managing anything new like a VPN solution (even if it already does come with OpenBSD.) Besides, a VPN solution suggests more than just needing access to files on a file server, which is all you have stated is needed to be happy.
__________________
Network Firefighter
Reply With Quote
  #8   (View Single Post)  
Old 23rd June 2008
Eam404 Eam404 is offline
Port Guard
 
Join Date: May 2008
Posts: 21
Thanked 1 Time in 1 Post
Default

IPSEC by most standards is generally the preferred method for connecting network to network. However in your case it really doesn't make much sense. With IPSEC you will have slightly faster xfer speeds as the encryption overhead does not require as much CPU/RAM as PPTP. However -- PPTP in your case seems better suited. If all your wanting is a simple means to access files in a remote location -- you do not need to be connected 24/7, via IPSEC. Keep in mind that the more gateways you are connected to will require more to manage.

A more robust solution might be some of the other options other members have offered up. Personally for your basic services I would use some sort of virtualization, but thats me. It all depends on your needs and requirements, thus far to do what you described it quite easy, as many have offered good solutions.

In my opinion the best practice is to keep it simple.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Remote backups server using FreeBSD, ZFS, and Rsync phoenix Guides 1 5th March 2010 12:17 AM
Setup Remote Access VPN plexter OpenBSD Security 54 4th September 2009 06:33 PM
Remote FreeBSD server upgrade - Guide! carpman Guides 8 5th April 2009 05:37 PM
Appending to file on remote host via SSH splooge Programming 10 7th June 2008 10:23 PM
Swfdec read-only file access vulnerability corey_james FreeBSD Ports and Packages 0 14th May 2008 11:31 PM


All times are GMT. The time now is 03:44 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick