A few things to consider:
1st off - never run programs or services on the firewall itself.
I doubt ANYONE on this mailing list will disagree with this.
2nd - consider segmenting the network. The purpose of the firewall is
to add a layer of protection to the machines behind it, however
consider segmenting the machines into different untrusted networks
...if you feel the need to add firewall protection to the FTP server,
don't put it with the rest of the windows boxes, put it on it's own
segment.
3rd - remember that a firewall doesn't mean that things behind it can't be
exploited, so host-based security still needs to be addressed.
On a similar note... it sounds like the FTP server and the firewall are
both Linux. IP chains is IP chains.... if you're defense is a Linux
firewall with IP chains, why not just leave the server outside of the
"trusted" network and use the same IP chains ruleset on it that you run on
the firewall?
As for accounting data on an FTP site? That's another discussion in
itself... I'd recommend ssh and "scp" (ssh-copy) for data transfer as a
MINIMUM for transmitting/receiving files from that server.. but you will
REALLY need to address host-security on that system.
- Aaron Schultz
- [EMAIL PROTECTED]
------
On Wed, 26 Jul 2000, Chris Mason wrote:
> Putting it outside the firewall negates the whole purpose of the firewall.
> It's only real purpose is to protect the accounting data. The network's only
> protected data is the accounting data.
> I don't want to FTP the data, I want to use it from the inside and the
> outside simultaneously.
> Besides, there will not be a machine outside the firewall. The firewall will
> NAT the internet feed.
> Everyone has jumped on me for putting data on the firewall, but no-one has
> really given me a concrete example of a better way to go. I need to stay
> with Linux open source solutions. My optimal solution might be to use a SSH
> tunnel to the data, wherever on the LAN it is. However, I don't actually
> know how to do that with a Windows client and a Linux firewall.
>
>
> Chris Mason
> Box 340, The Valley, Anguilla, British West Indies
> Tel: 264 497 5670 Fax: 264 497 8463
> USA Fax (561) 382-7771
> Take a virtual tour of the island
> http://net.ai/ The Anguilla Guide
> Find out more about NetConcepts
> www.netconcepts.ai
> bwz*mq
>
> -----Original Message-----
> From: Ron DuFresne [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, July 26, 2000 3:05 PM
> To: J Weismann
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Re: Looking for firewall solution advice
>
>
>
> because, as others have pointed out, having it inside opens holes into
> your network, and securing ftp is not an easy chore, look through the
> archives of bugtraq for the recent ftp exploits and the history of ftp
> vulnerabilites. A hardened host on the DMz, backed frequently is the way
> to go with a task such as this. If the box was only for use by those
> inside on the main network, then ya ut it there and watch it, but, since
> it's not and has to be accessible across the internet, ya put it where
> it;s compromise can do you the least harm. The key here is a hardened
> host, screened or perhaps itself firewalled to make it;s vulnerability as
> small as possible.
>
> Thanks,
>
> Ron DuFresne
>
> On Wed, 26 Jul 2000, J Weismann wrote:
>
> > Now why would you have it outside the firewall? By this I mean
> > Internet->files->firewall->LAN. why not put it inside the protection of
> the
> > firewall so the files can be protected? IE Internet->firewall->files->LAN?
> >
> > that would be a much more secure solution and not leave those files
> > available to all who can hack the machine.
> >
> >
> > >From: Ron DuFresne <[EMAIL PROTECTED]>
> > >To: J Weismann <[EMAIL PROTECTED]>
> > >CC: [EMAIL PROTECTED], [EMAIL PROTECTED]
> > >Subject: Re: Looking for firewall solution advice
> > >Date: Wed, 26 Jul 2000 13:00:33 -0500 (CDT)
> > >
> > >
> > >never on the firewall, leave it outside and harden the host.
> > >
> > >Thanks,
> > >
> > >Ron DuFresne
> > >
> > >On Wed, 26 Jul 2000, J Weismann wrote:
> > >
> > > > I'll disagree with this for one reason. Firewall-GOOD! outside
> firewall
> > >file
> > > > server-BAD!!! put it on the inside of the firewall and have the user's
> > > > tunnell or loginto the firewall to get access to the files. You leave
> > >that
> > > > puppy out there on friday and by monday your bandwith is at 100% usage
> > >and
> > > > wondering who setup a Warez FTP server on your file server.
> > > >
> > > > Guard every file like it was your own......
> > > >
> > > >
> > > > >From: Ron DuFresne <[EMAIL PROTECTED]>
> > > > >To: Chris Mason <[EMAIL PROTECTED]>
> > > > >CC: [EMAIL PROTECTED]
> > > > >Subject: Re: Looking for firewall solution advice
> > > > >Date: Wed, 26 Jul 2000 10:31:05 -0500 (CDT)
> > > > >
> > > > >
> > > > >I'd rethink the solution and advice under consideration and put the
> > >file
> > > > >server on a totally different box, most likely on the outside of the
> > > > >firewall on the dmz perhaps.
> > > > >
> > > > >Thanks,
> > > > >
> > > > >Ron DuFresne
> > > > >
> > > > >On Wed, 26 Jul 2000, Chris Mason wrote:
> > > > >
> > > > > > I'm advising a company on setting up a network with remote access.
> > >The
> > > > > > network will be windows machines with a Linux firewall configured
> > >with
> > > > > > PMfirewall. There will be a single IP wavelan internet feed to the
> > > > >firewall
> > > > > > which will be masq'ed for the internal network which will use
> > > > >non-routable
> > > > > > IPs.
> > > > > > The firewall machine will also be a fileserver for accounting
> data.
> > >The
> > > > > > client would like to be able to access the accounting data on the
> > > > >firewall
> > > > > > from outside using her laptop connected to a dial-up account
> > >somewhere
> > > > >in
> > > > > > the world. I would like to put in place a VPN solution for her.
> > > > > > Any suggestions?
> > > > > >
> > > > > >
> > > > > > Chris Mason
> > > > > > Box 340, The Valley, Anguilla, British West Indies
> > > > > > Tel: 264 497 5670 Fax: 264 497 8463
> > > > > > USA Fax (561) 382-7771
> > > > > > Take a virtual tour of the island
> > > > > > http://net.ai/ The Anguilla Guide
> > > > > > Find out more about NetConcepts
> > > > > > www.netconcepts.ai
> > > > > > bwz*mq
> > > > > >
> > > > > >
> > > > > > -
> > > > > > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > > > > "unsubscribe firewalls" in the body of the message.]
> > > > > >
> > > > >
> > > > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > > >"Cutting the space budget really restores my faith in humanity. It
> > > > >eliminates dreams, goals, and ideals and lets us get straight to the
> > > > >business of hate, debauchery, and self-annihilation." -- Johnny Hart
> > > > > ***testing, only testing, and damn good at it too!***
> > > > >
> > > > >OK, so you're a Ph.D. Just don't touch anything.
> > > > >
> > > > >-
> > > > >[To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > > >"unsubscribe firewalls" in the body of the message.]
> > > >
> > > >
> ________________________________________________________________________
> > > > Get Your Private, Free E-mail from MSN Hotmail at
> http://www.hotmail.com
> > > >
> > > >
> > >
> > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > >"Cutting the space budget really restores my faith in humanity. It
> > >eliminates dreams, goals, and ideals and lets us get straight to the
> > >business of hate, debauchery, and self-annihilation." -- Johnny Hart
> > > ***testing, only testing, and damn good at it too!***
> > >
> > >OK, so you're a Ph.D. Just don't touch anything.
> > >
> >
> > ________________________________________________________________________
> > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
> >
> >
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> "Cutting the space budget really restores my faith in humanity. It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation." -- Johnny Hart
> ***testing, only testing, and damn good at it too!***
>
> OK, so you're a Ph.D. Just don't touch anything.
>
>
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
