Re: Debian Full Distro v Debian 'Stripped Down' for firewall?
On Mon, 17 Jan 2005, Dave Ewart wrote:
We're doing the classic DMZ 'three-armed' network layout, nothing comes
Ah good.
directly into GREEN; the DMZ will house the publically-accessible
servers.
Cool.
Oh, yes, I agree - by GREEN I mean the local private network of course.
My use of 'outgoing' was misleading ... :-)
Ah so you were asking about allowing udp/514 from the DMZ into the
internal GREEN network. Like all security decisions this is a risk
assessment.
Overall I would not consider this a moderate risk given that you are only
allowing access from the DMZ but anything allowed to connect to hosts on
the GREEN network is potentially a hazard. Someone cracking a box in the
DMZ may feed bogus information to syslogd (no way around that) or may try
to DoS syslogd on the log host even if they can't actually brake into the
GREEN network.
If you were really paranoid you could have a 4th leg with the log host in
it ;)
Cheers,
Rob
--
Robert Brockway B.Sc.
Senior Technical Consultant, OpenTrend Solutions Ltd.
Phone: 416-669-3073 Email: rbrockway@opentrend.net http://www.opentrend.net
OpenTrend Solutions: Reliable, secure solutions to real world problems.
Contributing Member of Software in the Public Interest (www.spi-inc.org)
Reply to: