AIX Network Security Connection - HELP

[franksoprano]

I am in the process of trying to secure our network, we have a network of a variety of RS6000 Servers for various functions.. Right now we have 1 RS6k box that is directly connected to the internet. I am trying to figure out what the best method for securing this box, while keeping it connected to the internet for remote access..

I was considering taking our RedHat 8 Play-Box and making it a dedicated firewall for the head of the Lan.. But then I was doing somethinking and kinda talked myself out of it, because im trying to weigh it agaisnt the options of what can be done the the RS6k box to prevent hacks...

Would it be better to setup the linux box with a firewall and VPN in, or would it just be best to lockdown the RS6k??


The main purpose of the RS6k box being on the internet is to provide us remote access to a few files on the servers, no http use or anything of the like.. Pretty much for internal use non-production..

Thanks!

Frank-

 

[DSMARWAY]

Hi,

I think it would be better to have a firewall in place so anuy unwanted users will have to come via your firewall rather than direct on your box , also depending on what you are using as your web server , only open that port up i.e. users connect to web server sya to port 80. One other thing to note thats if you haven't got it installed is sendmail fix .i.e. have you got ptf IY40500 installed for aix 4.3.3
becuase this has a potential bug and can be hacked easily

HTH

 

[franksoprano]

DSMARWAY,

Thanks for the reply, we are not running any HTTP or mail services on the box that we need access to.. So then if I go the linux firewall route how would I connect to the RS6000 behind it? Will I have to ssh into the linux firewall and then into the servers behind it? Or can I set up port forwarding to have ssh requests sent to a particular host?

We are not running 4.3.3 we are running 5.1

And to be quite honest we do not do alot of remote connections from the outside, and when we do we are just doing some minor stuff, troubleshooting..

Thanks again!

 

[franksoprano]

how is everyone else gaining remote access to their RS6000's over the internet?

 

[DSMARWAY]

hi ,

you can set your firewall up as a router or firewall to have NAT ( Network Address Transaltion) so the first way
you would have gatway as your firewall so it passess traffic to that or have it as a NAT which translates your address say 1.1.1.1 to 10.1.1.1( RS 6000 box) which will connect to a certain port on your server.

hope this makes sense

 

[franksoprano]

DSMARWAY,

Yes that makes sense to me, but let me ask you this... What would the benefit of going with the linux firewall and doint NAT as opposed to just locking down the RS6000 and installing ssh for remote access?


Thanks!

Frank Soprano

 

[tlyon]

SSH and TCP-wrappers would help secure this machine. Also, the sendmail fix for AIX5.1 is IY40501

Finally, there is handy tool I found on rootvg.net called
AIX Security Tool box. It is free and will help you lock down this node.

 

[franksoprano]

tlyon,

Thanks I will check out the security tool box on rootvg.net.. I am going to go that route, securing/locking down the node instead of putting behind a firewall since its a non-production box..


Thanks!


Frank Soprano