I have a couple of questions about firewall strategies. I currently
have a single Linux box doing duty as a web, mail, ftp, and news
server, and it's also a firewall and masquerading for an internal
network. It's time to break that functionality down into several
machines, for various reasons. I have a 16 address subnet. I initially
thought about using a three-homed machine along the lines of the
"serious example" at the end of the ipchains how-to. But having a
single point of entry/exit, while making security administration
easier, seems to me to introduce a weak point as well. If the
three-homed firewall goes down, I lose all services.
Instead I've been thinking about just exposing the various
mail/news/web servers and locking each down appropriately with
ipchains, and allowing telnet and a few other services throughout the
subnet for ease of maintenance. What's the better strategy? By exposing
more machines directly am I increasing my security risk significantly?
Or am I better protecting the network by only giving away a smaller
piece of the pie if I do get hacked? Root passwords are different for
all machines.
Thanks for your help,
Dave
Dave Harms
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
