[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: Need an advise about isolating a host in the DMZ

> Hi 
> I have a host in my DMZ that has both anonymous ftp and pop3 
> ports open
> (this can't be changed). since I really don't trust this setup, I was
> thinking about ways to isolate this host so no one who break to this
> computer, can access other computers on the DMZ (although other
> computers should be able to access it). one obvious solution is to
> create a second DMZ, but that would cost me the lost of three ip's, so
> I'm trying to figure out ways to isolate him without putting it in
> another subnet.
> I thought about 2 solutions so far:
>         1. putting iptables on all the other computers in the DMZ.
>         2. connecting this host to another VLAN and set this
>            configuration on the switch (I have to see if that's even
>            possible).
> Does anybody have another/better solution?
> thanx 
> -- 
> Haim

If you're about to set up firewalling on all your hosts (and thats a good
thing) do it also on the pop/ftp host :-). Run your services as non-root
(maybe chroot, too) and NAT ports that are privileged so daemons can listen
to them as non-root. This way, if anyone breaks in, they wont be root that
easy and will hopefully find it much harder to break local firewall rules.

One other thing you might like to do is to add a firewall just for that
host, in the DMZ. All trafic from/to your untrusted host should travel
through that additionnal firewall, and you could set it up so it lets no (or
nearly) connection possible from your untrusted host to others in the DMZ.
Btw, you loose zero IP, since your firewall can obviously NAT your host.

If you cannot afford to use a dedicaced host for firewalling, you might like
to try UserModeLinux. Setup firewall on the main box, and services on
another that runs on a virtual machine. This is probably not best since it
forces you reinstall many things and makes your conf non-too-standard.

As a conclusion, trafic from the internet to that host should go through 2
Trafic from that host to the DMZ should go through your additionnal

Hope this is clear and helps,


Reply to: