DLC for linux?

[Mihalis]

I hear DLC is an old but very fast protocol for communicating with mainframes. Microsoft supports it in Windows 2000 and 9x.

Does linux support DLC? If yes, how do I configure samba to access a windows file server that only talks DLC?

[Mihalis]

Oops! Microsoft cannot use DLC for normal communication between computers. So the file server cannot be accessed with DLC.

What about the "IPX/SPX compatible protocol", is it available in linux? And if yes, how do I set up samba to work through this protocol?

The reason I do not want to use TCP/IP on the file server is security. Don't want the server to get owned. The linux box can't get owned for long because it will be a live CD.

[Forge]

Security through obscurity is no security at all. Introducing a old protocol comes with more risks than using something that is undergoing constant maintenance and revisions (stack-wise).

Use TCP and make sure you adhere to best practise for all elements of the service you wish to provide.
* Use ACL's on the file system, samba, etc.
* Use a centralised authentication and authorisation service
* Use encryption if you have to (don't lose the keys)
* Firewall the server
* Do not multi-home the server
... and so on.

A connection to a server via protocol X is still a connection to the server. At least with TCP you'll have the tools to defend yourself.

[Mihalis]

Quote:

Originally Posted by Forge

* Use ACL's on the file system, samba, etc.
* Use a centralised authentication and authorisation service
* Do not multi-home the server

Any sites with instructions or tutorials how to do these?

Quote:

A connection to a server via protocol X is still a connection to the server. At least with TCP you'll have the tools to defend yourself.

I'm not sure why you mention X. It is a windows 2000 server. I want to totally isolate it from the internet. Windows uses tcp/ip for some of its internal workings which requires that it exposes some ports like 2869 and do fancy things with svchost.exe connections that I do not understand (something to do with upnp which can be exploited by hackers, remote procedure calls, COM, but also unwanted windows updates while windows update has been disabled, etc). So I do not trust microsoft at all, I believe windows PCs will one day be used by a world-wide big brother state for constant surveillance on everyone.

That is why I want to access the internet only from linux and on a computer without a hard disk. And save anything worth saving onto a hardened windows file server without any tcp/ip at all if possible.

[Mihalis]

The ideal would be to use a usb flash drive for the file transfers.

Next to that, is there any protocol other than tcp/ip that is well maintained and can be installed on both linux and windows for file transfers only?

[Crinos]

Wow... just wow. Some of this is really tin foil hat stuff. If you have a NATed network with no external->internal access, and run 100% *nix(Windows 2000 is a poor choice for a "hardened file server" since it's pretty out of date...) with strong passwords, it's really going to be harder than some kludged together system with ancient protocols.

[Mihalis]

Quote:

Originally Posted by Crinos

100% *nix(Windows 2000 is a poor choice for a "hardened file server" since it's pretty out of date

Sorry but completely abandoning windows is not an option. That's not because we love M$. It's because better software is available for windows, period. If there wasn't, everybody would be using freeware linux. So we're left with the problem of how to get files onto windows safely, like online video material that we want to edit with the superior video editors that are available for windows and show it online.

Quote:

If you have a NATed network with no external->internal access

I'm not sure what a NATed network is, but if the external part gets infected and owned, wouldn't the hacker that has become an administrator be able to port-scan the file server or somehow get into it?

[Mihalis]

Look what I just found here. Someone is asking "Is it posible to scan a NATed network using nmap or other tool?". And the answer is:

"Yesh, there is, but is difficult to find. Look for a patched version of NMAP called "Cronos", which will enable you to traverse a NAT'ed firewall. "

[elvis]

I read the title as "Down Loadable Content for Linux", which I assumed meant apt-get.

[the-enigma]

Quote:

Originally Posted by Mihalis

Look what I just found here. Someone is asking "Is it posible to scan a NATed network using nmap or other tool?". And the answer is:

"Yesh, there is, but is difficult to find. Look for a patched version of NMAP called "Cronos", which will enable you to traverse a NAT'ed firewall. "

I tried a bit of googling, the only references to nmap and Cronos were either links to that mailing list, links to this forums, or nmap scans showing an open port 148, which nmap relates back to a cronus service.

As for scanning a NAT'ed network, though, as long as the "software" providing the NAT does not have any loopholes, scanning a NATed network does require the hosts on the other side to communicate to the internet. Roughly what happens is that the hidden host A, sends a message to the router R, trying to access the internet. R changes the source IP address to itself, and sends it out of port X (outgoing port, not incoming). R then remembers that anything traversing this open connection should go back to host A.
So yes, if some scanning tool happens to scan the right port, it can reflect back through the NAT, but as long as you ensure that host A never accesses the internet through R, then R won't connect any incoming connections, to host A.

Well, that's how I remember NAT working, it's been a while since I played with it on a technical level.

[Mihalis]

Quote:

Originally Posted by the-enigma

So yes, if some scanning tool happens to scan the right port, it can reflect back through the NAT, but as long as you ensure that host A never accesses the internet through R, then R won't connect any incoming connections, to host A.

OK but I don't know how to stop windows trying to access the internet without permission. Disabling the automatic updates does not work, windows connects anyway for certain updates through svchost.exe. If svchost is blocked by the firewall running in windows, then windows does not work correctly because rpc, com, upnp, and who knows what else are disabled. So svchost.exe needs to be free to do whatever it likes. What's worse, svchost connects to a company called Limelight Inc that is used by windows for its updates but Limelight can also be used by others too like Sun or Adobe whose software we need. The result is, any customer of Limelight whose software we need is free to "phone home". Limelight is not just one IP block, they keep getting different ones so you can't block them permanently.

In other words, not using TCP/IP in the LAN is the only real defence I know against Limelight.

Hasn't anyone thought of a simple non-routable protocol for file sharing? Laplink was nice for connecting dos computers through the serial ports and exhanging files, hasn't anyone ported something similar to linux, with ethernet instead?

[elvis]

Quote:

Originally Posted by Mihalis

OK but I don't know how to stop windows trying to access the internet without permission.

Put a firewall infront of it. A linux box with IPTables will do just fine. Failing that, just don't specify a default route.

I work in finance, and about 80% of our production servers don't get a default route, and are only allowed to broadcast within their subnet/VLAN.

Updates for Windows servers are handled through WSUS on the same subnet. The WSUS server then gets access via a highly limited proxy (again, no default route for the prod WSUS box).

Quote:

Originally Posted by Mihalis

In other words, not using tcp/ip is the only real defence against Limelight.

Not so.

Quote:

Originally Posted by Mihalis

Hasn't anyone thought of a simple non-routable protocol for file sharing?

Why on earth don't you just not allow routing outside of your network? IP doesn't require a default route, after all.

Honestly... how do you think banks secure their IP networks? It ain't rocket surgery.

[FalconGT]

Quote:

Originally Posted by Mihalis

OK but I don't know how to stop windows trying to access the internet without permission.

In other words, not using tcp/ip is the only real defence against Limelight.

Hasn't anyone thought of a simple non-routable protocol for file sharing?

So your lack of knowledge is tcp/ip's fault ?

Simple solution is to pay someone that knows what they are doing to set it up.

[Mihalis]

Quote:

Originally Posted by FalconGT

Simple solution is to pay someone that knows what they are doing to set it up.

A hacker is what I need for this. Or rather, two unrelated hackers, one to set it up, one to attack it.

Isn't it cheaper to find a port to linux of something like laplink which was used to connect dos computers and exchange files?

[elvis]

Quote:

Originally Posted by Mihalis

A hacker is what I need for this. Or rather, two unrelated hackers, one to set it up, one to attack it.

There are plenty of places that do commercial penetration testing. But I don't think you need that. It sounds like you need a basic class in networking.

Quote:

Originally Posted by Mihalis

Isn't it cheaper to find a port to linux of something like laplink which was used to connect dos computers and exchange files?

What's wrong with a crossover cable and two hosts on a /30 subnet?

Seriously man... do some reading!