John Stephens wrote:
-----Original Message-----
From: David Kirk [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, 21 January 2003 1:27 p.m.
To: [EMAIL PROTECTED]
Subject: Re: [OSTC] Setup - Help Required
Chris,
>IPCop has these functions built-in, and a webserver to configure it. I can
>set up an IPCop for you. ( got disk, will travel :-)
Great, thanks. I am getting Jetstream Starter (hopefully) and an Alcatel
SpeedTouch Home ADSL Modem.
Allied Telesyn 240E is a neat ADSL Modem Router with built in firewall where
you can configure a DMZ. It has an Ethernet and USB connection and costs
about $400
>>* I normally wouldn't load up a firewall with all these apps. I will >
>
>move some of them when I get another PC to act as the firewall.
>An adequate PC for the fire-wall can be got for just a few tens of dollars,
>it _really_ is not worth risking your net for that saving.
I've spent enough already. I will get a firewall PC later. Until then,
this will have to do. I don't expect to be keeping any sensitive data on
the network, but I will secure it as best I can.
>>Server - PIII 733, 256MB, 13GB
>>======
>>Linux (I prefer Debian)
>>LTSP (and some apps to run over the network)
>>PartImage (server and a boot disk for the workstations)
>
>I'd put the mail and web servers on this machine too, in a DMZ (?).
I could put mail and web on this server, but I am not putting the main
server in the DMZ. I would rather have the hackers playing with the other
PC.
I'm sorry, but I really don't understand all the extreme caution over using seperate firewall and server machines.
With an up-to-date installation of (say) debian configured with a good stateful IPChains firewall, weekly, or better, nightly, updates from the security feed, the machine is likely to be one of the more secure ones on the internet, especially considering most people's standards of "security". Obviously, you would not want to expose more than the barest neccesary ports to the outside world (mail & web, most likely).
Here at home I have my firewall PC also acting as an internal samba server, mail server (SMTP & IMAP), etc. All ports with the exception of SSH and HTTP are firewalled off from the outside world - I even use fetchmail to clear my mail, so SMTP is not open, either.
I'm also puzzled as to how much more secure a seperate firewall and server would be. If you're going to have to pinhole the firewall for the web & mail server, it will be directly vulnerable to bugs and loopholes in those services, and the firewall will still be vulnerable to TCP/UDP/IP level attacks. Once an intruder gains access to either, they have essentially unrestricted access to your network anyway.
Besides, what vitally-important data is being stored here that warrants this sort of setup?
-Nick
(Note: My apologies if this letter sounds at all like a flame - not my intention! :)
