Re: firewall/service configs (was a bunch of other things)
-----BEGIN PGP SIGNED MESSAGE-----
On 02/07/07 17:04, Andrew Sackville-West wrote:
> On Wed, Feb 07, 2007 at 04:56:31PM -0600, Ron Johnson wrote:
>> On 02/07/07 13:57, Andrew Sackville-West wrote:
>>> On Wed, Feb 07, 2007 at 12:20:47PM -0600, Ron Johnson wrote:
>>>> On 02/07/07 11:31, Andrei Popescu wrote:
>>>>> If I were to transform my firewall machine in a mailserver then IMAP
>>>>> would be the best choice to access it.
>>>> That's the *second worst* place to put it.
>>> please enlighten. I am in the process of re-examining my home lan. My
>>> new mobo on the server includes to nic's so I am thinking of using my
>>> server as the firewall as well... you seem, from the above, to think
>>> this is a bad idea. I don't doubt that it is...
>> Machines exposed to the Internet should have as few services on them
>> as possible. This reduces the threat "surface" (i.e., the number of
>> available possible exploits.
>> Thus, the device "you" should expose to Internet should only be a
>> router+firewall and web cache (if needed). ssh on that box should
>> only be visible to the LAN.
>> Have the firewall *redirect* incoming imaps requests to your server.
> and that is what I currently do. And its a great use for this old 486
> that currently runs the firewall. I'm just looking at other
> possibilities to cut down on power usage and the all important
> available horizontal surface space. I discussed this issue a while ago
> with no real resolution, hence my question.
> So running the service (IMAPS) in this case on the same box as the
> firewall exposes that firewall machine to direct attack if there is a
> compromise in the IMAPS server. This makes sense. But how exactly is
> that different from my current setup where the IMAPS server is run on
> a machine within the greenzone of my LAN.... hmmm... not really
> different at all in that a compromise on that server is still inside
> the lan. So in my now obviously bad setup it doesn't matter either
> way: a compromised IMAPS server is a compromise on my lan. ugh. gotta
> rethink all that.
Yes, a compromised IMAPS daemon will leave your main server
vulnerable to attack from packets redirected from the router.
> What about running servers in sandboxes (virtual machines or
> chroots). I could move the only externally visible service (IMAPS) to
> a virtual machine or a chroot on my server and tie it to one of the
> two nics. THis would put that service in a sort of orange-zone. And
> with the right configs, so that it only accepts requests from the
> fire-wall and not anywhere else on the lan, isolate it even more.
AKA a DMZ. That's a interesting thought: putting a DMZ inside a vm
on your main server. I wouldn't trust a chroot, though.
> then again, I've got a couple extra nics now, I could upgrade to a
> full blown green/orange zone configuration. I'd still like to setup
> the virtual machine though as I only have the one server and want
> parts of that server freely accessible from the lan (music, photos,
> video, backups etc). thoughts?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
-----END PGP SIGNATURE-----