Re: Need an advise about isolating a host in the DMZ
- To: Haim Ashkenazi <haim@consonet.com>
- Cc: debian-security@lists.debian.org
- Subject: Re: Need an advise about isolating a host in the DMZ
- From: Adrian Phillips <adrianp@powertech.no>
- Date: 18 Dec 2002 12:24:42 +0100
- Message-id: <873covefid.fsf@grannyogg.localnet>
- In-reply-to: <1040204536.12811.100.camel@parker>
- References: <1040204536.12811.100.camel@parker>
>>>>> "Haim" == Haim Ashkenazi <haim@consonet.com> writes:
Haim> Hi I have a host in my DMZ that has both anonymous ftp and
Haim> pop3 ports open (this can't be changed). since I really
Haim> don't trust this setup, I was thinking about ways to isolate
Haim> this host so no one who break to this computer, can access
Haim> other computers on the DMZ (although other computers should
Haim> be able to access it). one obvious solution is to create a
Haim> second DMZ, but that would cost me the lost of three ip's,
Haim> so I'm trying to figure out ways to isolate him without
Haim> putting it in another subnet.
Haim> I thought about 2 solutions so far: 1. putting iptables on
Haim> all the other computers in the DMZ. 2. connecting this host
Haim> to another VLAN and set this configuration on the switch (I
Haim> have to see if that's even possible).
3. user-mode-linux (user-mode-linux.sf.net); put each service in a
seperate UML with tap interfaces to each UML with iptables making
sure anyway breaking the service in a UML can't get out.
Sincerely,
Adrian Phillips
--
Your mouse has moved.
Windows NT must be restarted for the change to take effect.
Reboot now? [OK]
Reply to: