[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: basic question about firewall usage



On Sat, 10 May 2003 01:37 am, Michael Bergbauer wrote:
> On Fri May 09, 2003 at 07:2327AM -0700, Xucaen wrote:
> > Hi all, I am going to set up a p133 as a
> > dedicated firewall. I have a couple of PCs
> > networked and I would like to share my cable
> > internet. Is there a concern with using this
> > machine to for other things, such as priner
> > server, sql server, email server?
>
> Yes, there is: every additional service to the firewall increases the
> insecurity of the machine. So you have to decide which level of
> security you like to have, and you should look for the more secure and
> trustworthy  alternatives of the daemons you want to install - e.g. not
> necessarily using sendmail as long as you don't need its features.
>
> You also should have an eye on the configuration of that services, e.g
> if the service should be available only to the internal users, restrict
> it to them.

In general practice, it's considered bad form to put any services on a 
firewall/router that aren't directly related to routing and packet filtering. 
The logic behind it is that the firewall itself should (in theory) have 
access to most services/machine on both sides of the firewall, and as such 
any extra services place on the firewall increase the risk that one of them 
has a vulnerability, and if the firewall is vulnerable, then so is the rest 
of your network.

To further extend this, in theory, if you trust your firewall, then you can 
run vulnerable services behind it and not have to worry so much (I run test 
servers and so forth at home behind a firewal, yet I implicitly trust my 
firewall to block access to it from the Internet, so I feel - relatively - 
safe).

I personally run a firewall machine (486 based) which handles the routing, 
ADSL login, and firewall activities, and have a seperate server (Pentium II 
something) behind it for DNS, DHCP, SMB and so forth behind it, and wouldn't 
have it any other way.

t
-- 
GPG : http://n12turbo.com/tarragon/public.key



Reply to: