Ok, so we didn't get very far today. They are adamant that a dial-up modem with auto answer not be on their network - and were not very forthcoming with alternatives. About what I expected. I even offered that I would only turn the modem on when the hardware team is actively testing and calls up and asks me to turn it on. No dice.
One guy suggested that I put the modem on one system, and connect that system to the system on the network via the serial ports. That doesn't make any sense to me ... if somebody just compromised your first system via the serial port, what's to stop them from doing the same to the second system??
I proposed the following via email, but had to leave before I got a response.
Machine A
Has the modem and 1 NIC. Runs a firewall that only allows connections from Machine B and only on the NFS ports. The modem writes its files to the volume exported via NFS to Machine B
The modem software runs as a very restricted user - just enough permission to read from the serial port and write to the exported filesystem.
Machine B
2 NICS
First is conected to the corporate network - possibly configured to only allow traffic on port 80
Second is conected only to Machine A via a crossover cable or small hub/switch. Confgured to not accept any incoming connections except for the return NFS connection.
You might be able to substitute some kluge of ssh/scp instead of NFS as well.
Maybe run an antivirus on one or both - ClamAV? And ensure that all files are scanned before the webserver can touch them. Maybe run an SELinux distro to lock things down harder with ACLs and such?
What do you guys think? Is this reasonable? Does it significantly reduce the risk?
One guy suggested that I put the modem on one system, and connect that system to the system on the network via the serial ports. That doesn't make any sense to me ... if somebody just compromised your first system via the serial port, what's to stop them from doing the same to the second system??
I proposed the following via email, but had to leave before I got a response.
Machine A
Has the modem and 1 NIC. Runs a firewall that only allows connections from Machine B and only on the NFS ports. The modem writes its files to the volume exported via NFS to Machine B
The modem software runs as a very restricted user - just enough permission to read from the serial port and write to the exported filesystem.
Machine B
2 NICS
First is conected to the corporate network - possibly configured to only allow traffic on port 80
Second is conected only to Machine A via a crossover cable or small hub/switch. Confgured to not accept any incoming connections except for the return NFS connection.
You might be able to substitute some kluge of ssh/scp instead of NFS as well.
Maybe run an antivirus on one or both - ClamAV? And ensure that all files are scanned before the webserver can touch them. Maybe run an SELinux distro to lock things down harder with ACLs and such?
What do you guys think? Is this reasonable? Does it significantly reduce the risk?