[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Need an advise about isolating a host in the DMZ



On Wed, Dec 18, 2002 at 11:42:16AM +0200, Haim Ashkenazi wrote:
> Hi 
> 
(...)
> 
> I thought about 2 solutions so far:
>         1. putting iptables on all the other computers in the DMZ.
>         2. connecting this host to another VLAN and set this
>            configuration on the switch (I have to see if that's even
>            possible).

If you setup another VLAN then you are setting another DMZ, and thus
losing the 3 IP addresses anyway. The only difference being that both DMZs
will be connected to the same switch. Question ¿who will do the routing
between VLANs?

> 
> Does anybody have another/better solution?

These are not the best solution, just some more possibilities:

3.- Setup a bridge firewall and connect your DMZ servers to it. (i.e.
remove the switch)

4.- add access control lists in the switch (if it allows you to)

5.- add outgoing firewall rules in the server (an intruder needs to root
it to remove the rules, this might take some time if you have hardened it
properly and followed 'least privilege' in the setup of the
servers/services being offered).

	Of course the best solution would be a combination of all of them
(notice that 2, 3 and 4 are mutually exclusive, I think).

	My 2c. Regards

	Javi

Attachment: pgpE0wrYH5M16.pgp
Description: PGP signature


Reply to: