[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: Need an advise about isolating a host in the DMZ

>> Hi
>> I have a host in my DMZ that has both anonymous ftp and pop3
>> ports open
>> (this can't be changed). since I really don't trust this setup, I was
>> thinking about ways to isolate this host so no one who break to this
>> computer, can access other computers on the DMZ (although other
>> computers should be able to access it). one obvious solution is to
>> create a second DMZ, but that would cost me the lost of three ip's, so
>> I'm trying to figure out ways to isolate him without putting it in
>> another subnet.
>> I thought about 2 solutions so far:
>>         1. putting iptables on all the other computers in the DMZ. 2.
>> connecting this host to another VLAN and set this
>>            configuration on the switch (I have to see if that's even
>> possible).
>> Does anybody have another/better solution?
>> thanx
>> --
>> Haim
> If you're about to set up firewalling on all your hosts (and thats a
> good thing) do it also on the pop/ftp host :-). Run your services as
> non-root (maybe chroot, too) and NAT ports that are privileged so
> daemons can listen to them as non-root. This way, if anyone breaks in,
> they wont be root that easy and will hopefully find it much harder to
> break local firewall rules.
Do you mean that I should redirect all the incoming (e.g. port 110)
requests to a port above 1024? that's a good idea.

> One other thing you might like to do is to add a firewall just for that
> host, in the DMZ. All trafic from/to your untrusted host should travel
> through that additionnal firewall, and you could set it up so it lets no
> (or nearly) connection possible from your untrusted host to others in
> the DMZ. Btw, you loose zero IP, since your firewall can obviously NAT
> your host.
> If you cannot afford to use a dedicaced host for firewalling, you might
> like to try UserModeLinux. Setup firewall on the main box, and services
> on another that runs on a virtual machine. This is probably not best
> since it forces you reinstall many things and makes your conf
> non-too-standard.
> As a conclusion, trafic from the internet to that host should go through
> 2 firewalls.
> Trafic from that host to the DMZ should go through your additionnal
> firewall.
> Hope this is clear and helps,
> Vincent
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org

I'm thinking about using qmail as the smtp(only have access from the mail
relay server)/pop3 server (from what I've read this is a very secure
software). any suggestions about what ftp server should I run (is proftpd
secure enough)?


Reply to: