Re: basic question about firewall usage
On Sat, 10 May 2003 01:37 am, Michael Bergbauer wrote:
> On Fri May 09, 2003 at 07:2327AM -0700, Xucaen wrote:
> > Hi all, I am going to set up a p133 as a
> > dedicated firewall. I have a couple of PCs
> > networked and I would like to share my cable
> > internet. Is there a concern with using this
> > machine to for other things, such as priner
> > server, sql server, email server?
> Yes, there is: every additional service to the firewall increases the
> insecurity of the machine. So you have to decide which level of
> security you like to have, and you should look for the more secure and
> trustworthy alternatives of the daemons you want to install - e.g. not
> necessarily using sendmail as long as you don't need its features.
> You also should have an eye on the configuration of that services, e.g
> if the service should be available only to the internal users, restrict
> it to them.
In general practice, it's considered bad form to put any services on a
firewall/router that aren't directly related to routing and packet filtering.
The logic behind it is that the firewall itself should (in theory) have
access to most services/machine on both sides of the firewall, and as such
any extra services place on the firewall increase the risk that one of them
has a vulnerability, and if the firewall is vulnerable, then so is the rest
of your network.
To further extend this, in theory, if you trust your firewall, then you can
run vulnerable services behind it and not have to worry so much (I run test
servers and so forth at home behind a firewal, yet I implicitly trust my
firewall to block access to it from the Internet, so I feel - relatively -
I personally run a firewall machine (486 based) which handles the routing,
ADSL login, and firewall activities, and have a seperate server (Pentium II
something) behind it for DNS, DHCP, SMB and so forth behind it, and wouldn't
have it any other way.
GPG : http://n12turbo.com/tarragon/public.key