Re: other services on a firewall
'Twas a perfectly good explanation. This is what I see as the good old
argument, "the chain is only as strong as the weakest link."
One link fails, the whole thing goes with it. Charles is proposing having
multiple chains (computers in this case), so that if one goes, you dont
lose the rest. This is the good part to this point. The bad point,
however, is it may be a bit more expensive. If you can only afford one
computer system for web access and firewalling (like me), then you'll
probably have to live with it and put them all on one system (or if you're
also lazy (like me) and only want to deal with only one system :). But
hey, if you're good at programming and/or setting up sysetms, and you
trust and are confident of all the links in the chain, one machine ought
to do just fine. For me, it really depends on what it is your doing.
Either way, multiple computers would be better in theory for all systems (
Think of several ropes while climbing) to run the various servers.
In Theory, of course, and not always in practice.
For setups where it is pointless, such as if it's really not worth
spending money on extra systems, as Ken noted, just pay more attention to
system setup and security. So, in Ken's position, it sounds like 1
system, from what he's described is just fine. I just feel it's more of a
matter of preference, but something to be noted and/or kept in mind.
(Heck, I wouldn't mind having multiple servers myself, but dang if I could
ever afford it, or if I would actually get any gain out of it)
Hope this says something new or clarifies something! (or should I get out
the Asbestos underwear? :)
Do Svidonia,
Martin Held
Pre-EE, Oregon State University, Corvallis, Oregon.
heldm@ucs.orst.edu
-------------------
I can picture in my mind a world without war, a world without hate. And I
can picture us attacking that world, just because they'd never expect it.
On Tue, 4 May 1999, Charles wrote:
> The firewall on an isp should be used to block certian out
> going traffic. Ie if a web server is for only recieveing and
> never sends out it should not beallowed to send out.
> If the firewall was right on the web server and the
> web server was rooted. It could take the firewall down
> and get full access to the network.
>
> The firewall is used to stop traffic
> and log traffic.
>
> If it runs lots of extra services it will has that much more of
> a chance to be rooted and disabled. If it is rooted
> logs can be deleted or edited if they are stored on
> that machine and they should not be.
>
> Sorry for my bad explaintion my english is not the best.
>
> Charles Verge
>
> The Verge Internet Services
> http://www.theverge.com
> The place for your site !
>
> On Tue, 4 May 1999, Ken Stanley wrote:
>
> > Just out of curiousity why would you limit a perfectly fine PC
> > to just run a firewall? You should be able to add other services
> > along with the firewalled machine and not freak out over security
> > as bad as long as you set everything up properly.
> >
> > Isn't there an old saying, "The program is only as good as the
> > programmer?" Couldn't that be applied in this case too?
> >
> > Personally I run a small local network that has access to the
> > Internet via one of my Linux machines. This machine also
> > has a web server, file server, and a FTP server on it too.
> >
> > I don't have to worry about security with any of these services
> > running on the firewall machine because I set each up the way
> > I needed them to be so that only the correct people get access.
> > Granted this takes longer then just unpacking and installing the
> > source of each, but it is well worth it and helps consolidate
> > the expense of one machine per service.
> >
> > Personally I think that putting all your faith about these other
> > services in one simple firewall is crazy, but that is only me.
> >
> > Just a humbled opinion...
> >
> > Ken
> >
Reply to: