hi carl
yes... it's nice to be able to separate all those services,
into separate servers.... now you have to patch each one
whenver a patch is releases....thats good and bad too
problem is....the hardware is only 5%-10% of the costs of the
secure operation of their network....people costs more...
sometimes( usually ) internal people are the ones creating the
bigger security risks.... with incorrect methodologies,
incorrect policies, mis-configured servers, forgotten servers,
etc..etc..
fix the internal network policies and proceedures and its
gonna become much harder from the outside to get back in...
if they dont have a budget for 2-4 machines....for security
precautions... they should at least setup the 2-4 machiens
for a few thousand total....plus an automated update
service vs paying $50K-$100K/yr for trying to maintain some
sanity in an insecure process/proceedures/policy...
good thing security is ongoing and continuous 24x7 process...
have fun
alvin
On Wed, 9 May 2001, Carl E. Mankinen wrote:
> If you have a bastion that is running a myriad of services, all they have to do is
>exploit ONE weakness in one of those
> services and install a rootkit. Now they own them ALL.
>
> If you physically partition your services as well as logically, an exploit in one
>service will only gain them access to
> that one service. It's just more costly to have as many servers running.
>
> For example you have seperate servers for DNS, HTTP, FTP, SMTP, SNTP, etc.
> One of the HTTP servers is rooted, so you collect evidence, and re-image the server.
> Meanwhile, your other services are unaffected and if you have multiple webservers
>and a loadbalancer, clients
> may never see the outtage.
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
