20010201: Security of McIDAS ADDE and LDM

>From: Erick Lorenz <address@hidden>
>Organization: UC Davis
>Keywords: 200102020159.f121xaX03428 security

Erick,

>Recently my LDM/McIDAS server, an Intel based computer running Redhad Linux
>6.2 was broken into and used to attack another system.  I have had it off
>line while I reinstall Linux and now I am trying to beef up its security.
>I have some questions.  Some of these relate to the operation of the LDM
>and some to McIDAS.

Ready.

>1. Linux has TCP Wrappers which can be configured with the files
>   /etc/hosts.allow and etc/hosts.deny.  You can use these files to
>   grant network services to some hosts or subnets and deny them to all
>   others.

Right, we use these for host access control.

>   I want to configure my server so that it will communicate
>   only with its McIDAS clients (it has the only copy of McIDAS and it
>   stores all the data) and with its upstream data providers and then
>   only through the minimum set of network services necessary.
>
>   Question:  Which network services are essential to receiving data from an
>   upstream host on the IDD?

Port 388.

>   Question:  Which network services are essential for client machines to get
>   data from a server using adde?

Ports 500 and 503.

>2. Some members of our department are seriously considering installing a
>   firewall.
>
>   Question:  Do any LDM clients in the IDD network have their leaf LDM
>   servers behind firewalls?

Yes.

>    Can this be done without interfering with the flow of data?

Yes, but you have to allow traffic on port 388 to flow.

>Thank you

Please let me know if you were looking for anything more extensive.

Tom Yoksas