Re: secure topologies - smtp/dns/whois/....

To: Hanasaki JiJi <hanasaki@hanaden.com>
Cc: List - Debian Security <debian-security@lists.debian.org>
Subject: Re: secure topologies - smtp/dns/whois/....
From: Alvin Oga <aoga@Maggie.Linux-Consulting.com>
Date: Sat, 22 Mar 2003 13:24:01 -0800 (PST)
Message-id: <[🔎] Pine.LNX.3.96.1030322131427.28773A-100000@Maggie.Linux-Consulting.com>
In-reply-to: <[🔎] 3E7CA4E9.7010004@hanaden.com>

hi ya

gazillion different solutions for "secure topologies" that
depends on time, $$$$ and machines available, skillset and
what you're protecting against

c ya
alvin

-- you need backups ... :-)

-- disallow insecure services even behind the firewall
	( telnet, ftp, pop3/imap, dhcp, wireless
     use  ssh, scp, pop3s/imaps, static ip, gw+fw instead

-- use different login for different services
	- email addy should NOT be your ssh login's

	- vpn login should be different ( you.vpn )
	- ppp login should be different ( you.ppp )
	- wireless login should be diff ( you.wireless )

-- use multiple firewalls 
	- use a secured/hardened/well designed "firewall"

	- harden all servers and services as if the firewall did NOT exist

	- one dmz ... www, mail, dns, ntp server, other external services
			( probably natting fw )
	- 2nd dmz ... vpn, ssh login server ??
	- 3rd dmz ... wireless
	- 4th dmz ... local lan 
	- 4th dmz ... hr/payroll/acct payable/acct receivable

	- if you're using only one firewall ..
		- gt a 386PC and make a 2nd firewalll
		for internal machines separated from outside www/dns/mail


	-- too much firewall and gateway ??? donno ... 
	( depends on cleints paranoia level and what is the consequences
	( WHEN  a [cr/h]acker gets thru


On Sat, 22 Mar 2003, Hanasaki JiJi wrote:

> Would you share your opinions on the following setup for daemons?
> 
> firewall runs
> 	whois server - gwhois or jwhois?
> 
> 	iptables - firewall
> 
> 	forwards-to/NAT-from internal smtp server
> 		<what iptables rules will accomplish this>
> 
> 	NAT outgoing DNS for internal bind9 server
> 
> 	bind9 - for external dns
> 		<no connection between these two servers>
> 
> 	NAT from internal SQUID server to internet
> 
> 	ntp - time server for internal
> 		<safe to run this on the firewall?>
> 	
> 
> host(s) inside the firewall
> 	smtp server - exim4
> 	dhcp3-server for internal
> 	bind9 - for internal dns
> 	squid - http proxy
> 	webserver - apache for internal and external
> 		domain.com
> 		internal.domain.com
> 		<both on same server>
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>

Reply to:

References:
- secure topologies - smtp/dns/whois/....
  - From: Hanasaki JiJi <hanasaki@hanaden.com>

Prev by Date: PTRACE kernel-patch
Next by Date: Re: iptables route
Previous by thread: Re: secure topologies - smtp/dns/whois/....
Next by thread: Re: secure topologies - smtp/dns/whois/....
Index(es):
- Date
- Thread