Re: secure topologies - smtp/dns/whois/....
hi ya
gazillion different solutions for "secure topologies" that
depends on time, $$$$ and machines available, skillset and
what you're protecting against
c ya
alvin
-- you need backups ... :-)
-- disallow insecure services even behind the firewall
( telnet, ftp, pop3/imap, dhcp, wireless
use ssh, scp, pop3s/imaps, static ip, gw+fw instead
-- use different login for different services
- email addy should NOT be your ssh login's
- vpn login should be different ( you.vpn )
- ppp login should be different ( you.ppp )
- wireless login should be diff ( you.wireless )
-- use multiple firewalls
- use a secured/hardened/well designed "firewall"
- harden all servers and services as if the firewall did NOT exist
- one dmz ... www, mail, dns, ntp server, other external services
( probably natting fw )
- 2nd dmz ... vpn, ssh login server ??
- 3rd dmz ... wireless
- 4th dmz ... local lan
- 4th dmz ... hr/payroll/acct payable/acct receivable
- if you're using only one firewall ..
- gt a 386PC and make a 2nd firewalll
for internal machines separated from outside www/dns/mail
-- too much firewall and gateway ??? donno ...
( depends on cleints paranoia level and what is the consequences
( WHEN a [cr/h]acker gets thru
On Sat, 22 Mar 2003, Hanasaki JiJi wrote:
> Would you share your opinions on the following setup for daemons?
>
> firewall runs
> whois server - gwhois or jwhois?
>
> iptables - firewall
>
> forwards-to/NAT-from internal smtp server
> <what iptables rules will accomplish this>
>
> NAT outgoing DNS for internal bind9 server
>
> bind9 - for external dns
> <no connection between these two servers>
>
> NAT from internal SQUID server to internet
>
> ntp - time server for internal
> <safe to run this on the firewall?>
>
>
> host(s) inside the firewall
> smtp server - exim4
> dhcp3-server for internal
> bind9 - for internal dns
> squid - http proxy
> webserver - apache for internal and external
> domain.com
> internal.domain.com
> <both on same server>
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
Reply to: