Firewall Configuration Question... Is this possible?
dufresne at sysinfo.com
Tue Aug 2 20:03:35 CEST 2005
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, 2 Aug 2005, Jan Engelhardt wrote:
>> doable, but not adised, a firewall should be single purpose, most servers
>> should be single purpose where possible. But then this is not often the case.
>> But a firewall certainly should be a single purpose system much like a router
>> is, they do similair work anyways.
> Having many servers has two disadvantages: Power consumption and
> administration expense (you gotta install and upgrade each of them).
> A "service split" [for load balance] is not bad, but you can also overdo it.
security basics 101, servers have their single purpose. Make monitoring
for pathces for that specific service for that admin easier, makes for not
a single point of failure, and is more important for the network choke
points such as FW's. Of course, I'm coming at this with a corporate
perspective, not a little home network.
>> putting a web servers on the firewall makes the firewall and the whole internal
>> network subject to any issues that the web services now face, plus you now have
>> to allow naother set of ports/protocols directly to the system and not merely
> You don't run a webserver with root.
Of course not, but surely you understand once a shell is gotten on a
system getting root is ussually trivial, especially in nost default
installs whence evertything and the kitchen sink go in. Few folks
actually do minimal installs these days, and many distributions of Linux,
and I'm guessing a number of the *BSD's are a pain to inimalize. Same is
getting to be more and more true of the major vendored unix's as well.
As many have stated, it also depends upon your security posture, and the
importance of what you are protecting. No if I recall the admin in
question that raised the issue had a .edu in their address. They have
been most notorious for *not* doing the right thing and trying to
"conserve" resources to the extenxt that they tend to be the bain of most
corporate and hiome user systems/netowrks due to their usser exploiting
easiliy the weaknesses that tend to be inherent in their design and
deployment. Ths my emphasis in this reguard in stating the better
implimentation. Now if you really wanna argue further these basics, I'd
invite you to the firewal wizards list to talk about minimal security
design implementaions and what does not work in actually trying to secure
<doable does not imply best practice>
admin & senior security consultant: sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the netfilter