Desperately need assistance!

Discussion in 'LnS English Forum' started by Tim Williams, Jul 6, 2003.

Thread Status:
Not open for further replies.
  1. Tim Williams

    Tim Williams Guest

    Hello all,

    I need a little (alot?) of help creating a ruleset. What I want to do is very simple:

    1) I want to allow the entire Internet to access my webserver on ports 80 and 443.

    2) I want to dis-allow EVERYTHING else (ftp, mail, ..EVERYTHING) to ANYONE besides individuals with specific MAC addresses, with the exception of ARP (because I don't know the MAC address of my Gateway).

    3) Those machines with the allowed MAC addresses I want to allow pretty much anything.

    However, I also have a few questions:

    a) is the above configuration safe? Is it possible for someone to spoof a MAC address?

    b) is there any possible vulnerability in allowing all ARP traffic? should I bother calling my ISP and asking them for the MAC address of my gateway? or is there a way I can find this out on my own?

    My situation: I have my server co-located at my ISP. I only want the public to be able to access my website on ports 80 and 443. However, from my home computer (or my laptop when on the road), I would like to be able to connect to the server with remote desktop, file sharing (netBios, etc.), SMTP, POP3, and pretty much any other server/service that I would like to provide myself with...but I don't want the public being able to connect to these services - the ONLY ports I want the public to connect to are 80 and 443 for my website.

    I figured the best way to do this is with the above scenario (using the MAC addresses of my home computer and laptop) as I do not have a static IP at home or when I'm on the road.

    Also, THE MACHINE NEEDS TO BE ABLE TO CONNECT TO ITSELF, so that my web application can send e-mails (my mailserver is running on the same box) and connection to SQL Server (also running on the same box).

    I would most appreciate it if someone could create me an example ruleset file and e-mail it to me at twilliams@datastreamcorp.com (please put the word RULESET in capital letters in the SUBJECT line)...Thanks in advance!
     
  2. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,353
    Location:
    France
    Hi,

    Unfortunately, what you plan to do will not work, because the MAC address are not transmitted over Internet.
    Specifying MAC address in the firewall works only on LAN but not through Internet.
    The server (and thus the firewal)l will never receive packets with the MAC address of your home or road PC.

    It is anyway possible to allow only 80 & 443 ports but for everyone.

    Regards,

    Frederic
     
  3. Tim Williams

    Tim Williams Guest

    Urghh..Too bad. I think it is time for a permanent, device-specific identification system for use on the Internet! Any ideas for my situation? I need to connect via Remote Desktop Connection to administer my server, and file sharing would be great also, but I know running these services open over the internet is very risky. Any suggestions?
     
  4. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Hi Tim,

    in addition to MAC adresses not being transported over the internet, it *is* possible to spoof them, so it wouldn't be advisable to build your authentication scheme on MAC adresses. Even on LAN alone....

    See the "How to get your gateway's MAC address" section (almost at the bottom) over here: http://www.commontology.de/security/firewalls/fire0.html#gateway_mac

    Maybe an essential question: What OS is your server running?

    The approach that comes to my mind first is to use ssh. This would require open an additional port, which could be well secured - it would allow you to connect to the server, authenticate with password or certificate and then have a command shell on the server - or a port-forwarding (e.g. to ports 25/110 on the server) that would benefit from ssh's authentication.
    Another apporach would be to set up a VPN to the server - this offers (at least) certificate and "shared secret" authentication and would effectively bring you stealthy through the servers' firewall. But it is more difficult to set up (i think) and may be oversized/overcomplex for your needs.
    Finally, how about a dedicated remote administration tool like atelierweb's AWRC, LapLink or the good freeware alternatives: The mother of those, VNC has inspired many spinoffs that combine VNC's functionality with ssh'ish security - like SSHVnc or - most notable - TightVNC.

    In general, i think that certificates are the closest you can get to a device-specific authentication while username/password auth. is obviuosly user-specific.

    Unfortunately, since i've never had to set up a similar thing myself, that's about where my knowledge ends. But i hope to have helped you at least a bit further...

    See you,
    Andreas
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.