[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Centralized /etc/passwd ?



* Carel Fellinger (carel.fellinger@iae.nl) [020625 02:49]:
> On Tue, Jun 25, 2002 at 02:05:38AM -0700, Vineet Kumar wrote:
> > * Paladin (paladin@paladin.dhis.org) [020624 16:00]:
> ..
> > > BTW, what's more secure? Putting everything in the firewall PC or on
> > 
> > The general answer to this is that it's more secure to keep your
> > firewall machine as minimal as possible. The less it has on it, the
> > fewer possible holes there are.
> 
> The more liberal stance would be to have no external services open on
> the firewall (blocking them at the ip level), and run only a few local
> only services that you really can't live without on the firewall.
> 
>  
> ..
> > spare. In my home network, I only have one always-on machine, so its
> > duties are slightly more expanded than the paranoid firewall should be.
> > Even with just one extra machine, it's easy to make one a stripped-down
> > firewall-only box and the other your all-serving internal box (which can
> > also run dmz-type services, such as web, mail, etc. via DNAT).
> 
> IMHO it's stupid to mix dmz-type services with local only services as the
> point of DMZ is to shield your own network and your firewall from the
> hostile net. I really believe it's better to have the DMZ machine do
> DMZ services only, and lacking an extra server to put the local only
> services on the firewall. The change of breaking in into the firewall
> seems less than the chance of breaking in into the DMZ with all it's
> flacky services running.

Sure, and that's just the point. If I have a firewall machine running on
an Inet address and a server machine doing apache and sendmail for the
outside and also bind and samba inside, it's harder to catastrophically
break into the system. Say a remote exploit is found in sendmail which
allows the attacker to open a listening port that goes straight to a
root shell. Without also breaking something on the firewall (which is
running nothing but iptables) they can't ever connect to that backdoor.

Again, the ideal assumes availability of spare servers, but my point is
that with only 2 servers the setup can be much better than with only 1
doing firewall + services. In this case, it still shields your firewall
from the hostile net, if not your LAN. putting them all on one box
has no such shielding effect. I guess my fault was using the term "DMZ"
which implies a degree of protection that this arrangement does not
afford.

good times,
Vineet
-- 
http://www.doorstop.net/
-- 
Satan laughs when we kill each other. Peace is the only way.

Attachment: pgpDHkW4QqyAJ.pgp
Description: PGP signature


Reply to: