RE: Need an advise about isolating a host in the DMZ

To: <debian-security@lists.debian.org>
Subject: RE: Need an advise about isolating a host in the DMZ
From: <haim@consonet.com>
Date: Wed, 18 Dec 2002 14:19:52 +0200 (IST)
Message-id: <32858.62.90.61.34.1040213992.squirrel@shepp>
In-reply-to: <51341B7FA34CD2119FA20008C7289B1C051C1BC4@panoramix.coe.int>
References: <51341B7FA34CD2119FA20008C7289B1C051C1BC4@panoramix.coe.int>

>> Hi
>>
>> I have a host in my DMZ that has both anonymous ftp and pop3
>> ports open
>> (this can't be changed). since I really don't trust this setup, I was
>> thinking about ways to isolate this host so no one who break to this
>> computer, can access other computers on the DMZ (although other
>> computers should be able to access it). one obvious solution is to
>> create a second DMZ, but that would cost me the lost of three ip's, so
>> I'm trying to figure out ways to isolate him without putting it in
>> another subnet.
>>
>> I thought about 2 solutions so far:
>>         1. putting iptables on all the other computers in the DMZ. 2.
>> connecting this host to another VLAN and set this
>>            configuration on the switch (I have to see if that's even
>> possible).
>>
>> Does anybody have another/better solution?
>>
>> thanx
>> --
>> Haim
>>
>
> If you're about to set up firewalling on all your hosts (and thats a
> good thing) do it also on the pop/ftp host :-). Run your services as
> non-root (maybe chroot, too) and NAT ports that are privileged so
> daemons can listen to them as non-root. This way, if anyone breaks in,
> they wont be root that easy and will hopefully find it much harder to
> break local firewall rules.
Do you mean that I should redirect all the incoming (e.g. port 110)
requests to a port above 1024? that's a good idea.

>
> One other thing you might like to do is to add a firewall just for that
> host, in the DMZ. All trafic from/to your untrusted host should travel
> through that additionnal firewall, and you could set it up so it lets no
> (or nearly) connection possible from your untrusted host to others in
> the DMZ. Btw, you loose zero IP, since your firewall can obviously NAT
> your host.
>
> If you cannot afford to use a dedicaced host for firewalling, you might
> like to try UserModeLinux. Setup firewall on the main box, and services
> on another that runs on a virtual machine. This is probably not best
> since it forces you reinstall many things and makes your conf
> non-too-standard.
>
> As a conclusion, trafic from the internet to that host should go through
> 2 firewalls.
> Trafic from that host to the DMZ should go through your additionnal
> firewall.
>
> Hope this is clear and helps,
>
> Vincent
>
>
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org

I'm thinking about using qmail as the smtp(only have access from the mail
relay server)/pop3 server (from what I've read this is a very secure
software). any suggestions about what ftp server should I run (is proftpd
secure enough)?

thanx
--
Haim

Reply to:

Follow-Ups:
- Re: Need an advise about isolating a host in the DMZ
  - From: Rick Moen <rick@linuxmafia.com>
- Re: Need an advise about isolating a host in the DMZ
  - From: Nick Boyce <nick@glimmer.demon.co.uk>

References:
- RE: Need an advise about isolating a host in the DMZ
  - From: DEFFONTAINES Vincent <Vincent.DEFFONTAINES@coe.int>

Prev by Date: Re: FTP-SSL
Next by Date: Re: FTP-SSL
Previous by thread: RE: Need an advise about isolating a host in the DMZ
Next by thread: Re: Need an advise about isolating a host in the DMZ
Index(es):
- Date
- Thread