Re: secure topologies - smtp/dns/whois/....

Sat, 22 Mar 2003 15:40:21 -0600 

hi ya

gazillion different solutions for "secure topologies" that
depends on time, $$$$ and machines available, skillset and
what you're protecting against

c ya
alvin

-- you need backups ... :-)

-- disallow insecure services even behind the firewall
        ( telnet, ftp, pop3/imap, dhcp, wireless
     use  ssh, scp, pop3s/imaps, static ip, gw+fw instead

-- use different login for different services
        - email addy should NOT be your ssh login's

        - vpn login should be different ( you.vpn )
        - ppp login should be different ( you.ppp )
        - wireless login should be diff ( you.wireless )

-- use multiple firewalls 
        - use a secured/hardened/well designed "firewall"

        - harden all servers and services as if the firewall did NOT exist

        - one dmz ... www, mail, dns, ntp server, other external services
                        ( probably natting fw )
        - 2nd dmz ... vpn, ssh login server ??
        - 3rd dmz ... wireless
        - 4th dmz ... local lan 
        - 4th dmz ... hr/payroll/acct payable/acct receivable

        - if you're using only one firewall ..
                - gt a 386PC and make a 2nd firewalll
                for internal machines separated from outside www/dns/mail


        -- too much firewall and gateway ??? donno ... 
        ( depends on cleints paranoia level and what is the consequences
        ( WHEN  a [cr/h]acker gets thru


On Sat, 22 Mar 2003, Hanasaki JiJi wrote:

> Would you share your opinions on the following setup for daemons?
> 
> firewall runs
>       whois server - gwhois or jwhois?
> 
>       iptables - firewall
> 
>       forwards-to/NAT-from internal smtp server
>               <what iptables rules will accomplish this>
> 
>       NAT outgoing DNS for internal bind9 server
> 
>       bind9 - for external dns
>               <no connection between these two servers>
> 
>       NAT from internal SQUID server to internet
> 
>       ntp - time server for internal
>               <safe to run this on the firewall?>
>       
> 
> host(s) inside the firewall
>       smtp server - exim4
>       dhcp3-server for internal
>       bind9 - for internal dns
>       squid - http proxy
>       webserver - apache for internal and external
>               domain.com
>               internal.domain.com
>               <both on same server>
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
>

Reply via email to