On Tue, Jul 03, 2007 at 10:00:35PM -0400, Douglas Allan Tutty wrote: > On Tue, Jul 03, 2007 at 06:22:46PM -0500, Ron Johnson wrote: > > On 07/03/07 13:25, Andrew Sackville-West wrote: > > > > >Dom0: local file server (video, music, local backups) > > > > > > DomU1: firewall > > > > I understand the need for a small, "separate" firewall. > > > > Does this really give any more security than running the firewall as a > regular part of the main box? Is it as secure as a separate old > computer? These three (plus I suppose a commercial hardware firewall) > seem to be the choices. How do they compare for security? I don't really know, but the following things occur to me: 1. its seperate and distinct, serves only one purpose, and thus is less likely to have vulnerabilities. A seperate firewall machine has so few packages installed, that it is more secure just because it has fewer possible vulnerabilities. 2. the seperate machine, if it falls to some attack, is a seperate machine. That means there is one more step to be taken to get to some damaging location. Granted, once you're past the firewall, its a pretty simple step. This assumes that its the firewall that gets cracked and not some other machine behind the firewall that gets cracked. I don't think there is anything wrong with a debian machine on the net with its local firewall as the only thing protecting it. But I think if you want anything more sophisticated, some sort of seperate device is the way to go. A
Attachment:
signature.asc
Description: Digital signature