[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Centralized /etc/passwd ?



On Tue, Jun 25, 2002 at 02:05:38AM -0700, Vineet Kumar wrote:
> * Paladin (paladin@paladin.dhis.org) [020624 16:00]:
...
> > BTW, what's more secure? Putting everything in the firewall PC or on
> 
> The general answer to this is that it's more secure to keep your
> firewall machine as minimal as possible. The less it has on it, the
> fewer possible holes there are.

The more liberal stance would be to have no external services open on
the firewall (blocking them at the ip level), and run only a few local
only services that you really can't live without on the firewall.

 
...
> spare. In my home network, I only have one always-on machine, so its
> duties are slightly more expanded than the paranoid firewall should be.
> Even with just one extra machine, it's easy to make one a stripped-down
> firewall-only box and the other your all-serving internal box (which can
> also run dmz-type services, such as web, mail, etc. via DNAT).

IMHO it's stupid to mix dmz-type services with local only services as the
point of DMZ is to shield your own network and your firewall from the
hostile net. I really believe it's better to have the DMZ machine do
DMZ services only, and lacking an extra server to put the local only
services on the firewall. The change of breaking in into the firewall
seems less than the chance of breaking in into the DMZ with all it's
flacky services running.


-- 
groetjes, carel


-- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org



Reply to: