> Our accounting department needs to be put on a totally
> seperate network that
> is inaccessible to the rest of the users. However, the users

To do this securely, you need a firewall or at the least a packet filter,
etc.

> their own file server that is also hidden. It could be NT but
> with the addes

If you use the multihomed NT system, do not make this the file server.
Instead, use another small machine for that, then the fileserver can be in
the 'accounting' network, with no route out...it's not perfectly secure, but
it will at least stop the file server from responding to the non-accounting
net.

> However, disabling the NetBIOS bindings on the external NIC
> wold hide this
> from the network. Most of the users don't have enough

If the machine is packet forwarding, then people could connect from the
non-accounting network to the NIC on the accounting side just fine.

> much harm, but I'd rather be safe than sorry. I could also specify the
> external NIC too not accept any traffic except from the mail
> server and gtw.

This would be a start.

I don't see that much of this would specifically give you a significantly
higher level of security than using the same NT domain and just controlling
access by groups; unless you are worried about people 1) breaking into your
NT server or 2) packetsniffing. The problem with using this method to
prevent (1) is that the users could just break into the new packet filter
machine instead of wasting time with the old one. The problem with this
method to prevent (2) is if any accounting people send mail to other
accounting users with confidential info, in this model that will traverse
the non-accounting network, and be sniffable.

--brian

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]