LMCE & security

[deepB]

Hi,

I have a question regarding LMCE & security.

I should use the LMCE server as a gateway right? so route all traffic to and from the internet over the LMCE server. So the server is open to the internet. And potentially vulnerable when not all security updates are applied.

But now we have LMCE 1004, which is based on Kubuntu 10.04 as a beta, right?

So if I install LMCE1004 (which is only beta), I install Kubunut 10.04, where the support runs out on April 2013! (only the server version hast 5y support)
If I install the current stable LMCE 804, which is Kubuntu 8.04 I have a Kubuntu that is already out of support for over a year!

So how can I use LMCE without having to fear security problems?

Please note that this SHOULD NOT(!) be a rant about the development of LMCE and the timing, just a serious question.

Best regards
Daniel

[hari]

You can always put another firewall in front of LMCE. Please be aware that the system is quite open to attacks from the inside, too. The underlying communication protocol DCE has no security at all. No authentication and no encryption. If you control sensitive things like door locks, garage door openers and such via LinuxMCE, make sure that you don't have a patched CAT5 wire in your garden :-) (I'd recommend to use 802.1x anyway). Rebooting the core via a DCE command would also disable the security system for a while..

[Techstyle]

You are assuming the burglar in question firstly knows what to do with the Cat5 cable he dug up in your yard.

[deepB]

Well I do not really fear anythig from the inside, the outside is my problem.

Short question that might be dumb, but why does the LMCE server has to be the one that everything is routed over?

[Marie.O]

Mainly because of telecom, as SIP has problems being used behind NAT. These days it is less of a problem than it used to be.

[deepB]

Mainly because of telecom, as SIP has problems being used behind NAT. These days it is less of a problem than it used to be.

So it should also work without LMCE being the gateway?

[_if_]

@deepB: also keep in mind that LinuxMCE beeing the gateway for the LinuxMCE-network, does not mean you can not place your PCs or laptops outside of the LinuxMCE network. Usually there is a router before the core anyways, so just connect the PCs to the router (if this is your problem with the architecture...).
And if the core acts as a gateway or not, does not really make any difference to the security problem...

greetz
IF

[brononius]

Usually there is a router before the core anyways

You can mostly add additional security features on this router (fe buildin firewall).
Or to be 100% safe, add a real firewall device in front of it. Of course, this is an extra device (power consumption, configuration work...)

[jamo]

Regarding the "gateway"

I use a mix of networks which I find works nicely for me-

I have the DSL line coming through a DSL modem/router which is the first firewall keeping unwanted traffic from the internet out. Then that goes into a switch to my security cameras and wireless access point (this is my home network that is still "external" to the dcerouter). The core's "external" NIC plugs into this switch. Then the core's "internal" NIC plugs into my internal switch which all the media directors are connected to.

Then to access the core from my home network I just have to open ports 80 (for webadmin, weborbiter) and 22 for ssh on the linuxmce firewall. Setup works nicely because you can still provide wireless internet to non-linuxmce devices even when the core is down. Can also access IP security cameras directly on "home" network.  I do need to set static IP addresses on my router, though, so I can bookmark everything.

This would all work on internal network as well... it would just mean stuff would be down when the core was down (as it is the gateway) and I might have to open other ports on the core firewall to allow internet access to my security cams and stuff which I might not want to do.

Your best approach is to build up your system slowly because there are so many options. As long as you have Cat5/6 wiring everywhere coming to a central point you can't go too far wrong as it's easy to switch things around later. If I want to change the configuration, I just open the closet and move the cables around to different switches etc.