On Fri, Jan 04, 2008 at 11:28:18PM -0500, Nick Holland wrote: > Rusty Gadd wrote: > > I am seeking advice on the security aspects of the configuration of my home > > system. I have 2 PC's, connected to the internet via a firewalled NAT > > router. The main PC is an i386 P4 used for general computing, the second is > > an older i386 P3 which I intend to dedicate to internet banking for maximum > > security. I have installed OpenBSD on the P3 with just the xfce4 window > > manager and the Mozilla Firefox browser. Both PC's have separate printers. > > 2: Space for the P3 is limited and I would like to remove its printer and > > print bank statements across the LAN on the main PC (running Linux, or maybe > > FreeBSD in future) using CUPS. Does this introduce security risks?
Why would you need CUPS on the P3? Shouldn't the bsd lpd be able to send the bank statement over to the other box to then get formatted and printed? lpd is in base already. > > Some. Not much. If you end up (accidentally) running a poorly written > service on your OpenBSD machine, yes you could be attacked. Even if you > are initiating contact with a compromised machine, it *might* be able to > send something back at you that could choke your app and cause Bad Things > to happen. > > The sad thing is you are being more careful with your system design than > your bank probably is. :-/ By the time you are running OpenBSD on your > banking computer, I suspect you have shifted the primary risk to the > other end of the wire...your bank is a bigger risk to your data than you > are. Does running Firefox on the banking computer, even if it is running on OpenBSD, cause any concerns? Is there a more secure browser that will still work with the bank's system? I'm assuming that the base Lynx won't work (if it will, just use that). Will you sit down at a separate screen/keyboard on the OpenBSD banking computer or will you access it via ssh? Would forwarding X via ssh from the banking machine to your main machine make banking any less secure? I suppose if the main machine were infected it could read your keystrokes as you type in passwords. Perhaps you could use the banking machine as your main access point, running apps on the main box via ssh. Would that introduce any insecurity in the banking machine? Doug.
