On Wed, 22 Jan 2003 09:32:11 +1300 Nick Johnson <[EMAIL PROTECTED]> wrote:
> I'm sorry, but I really don't understand all the extreme caution over > using seperate firewall and server machines. > With an up-to-date installation of (say) debian configured with a good > stateful IPChains firewall, weekly, or better, nightly, updates from the > security feed, the machine is likely to be one of the more secure ones > on the internet, especially considering most people's standards of > "security". Obviously, you would not want to expose more than the barest > neccesary ports to the outside world (mail & web, most likely). > Here at home I have my firewall PC also acting as an internal samba > server, mail server (SMTP & IMAP), etc. All ports with the exception of > SSH and HTTP are firewalled off from the outside world - I even use > fetchmail to clear my mail, so SMTP is not open, either. > > I'm also puzzled as to how much more secure a seperate firewall and > server would be. If you're going to have to pinhole the firewall for the > web & mail server, it will be directly vulnerable to bugs and loopholes > in those services, and the firewall will still be vulnerable to > TCP/UDP/IP level attacks. Once an intruder gains access to either, they > have essentially unrestricted access to your network anyway. > > Besides, what vitally-important data is being stored here that warrants > this sort of setup? > I have wondered the same from time to time, but all the security gurus say its a no-no. these seem to be among the main justification seems to be that more services mean more vulnerabilities - even linux has them and there is a window of opportunity between discovery of an exploit and fixes (or more importantly apllication of fixes) * also most people recommend a DMZ (or in ipcop talk, an "orange" zone for publicly available servers, e.g web, mail etc. This helps keep the puiblic part of the netowrk away from end user (insecure, windows) machines. Its therefore not a simple pinhole to your servers. > > -Nick > > (Note: My apologies if this letter sounds at all like a flame - not my > intention! :) > it may be flame bait, but in the best possible way! -- Nick Rout <[EMAIL PROTECTED]>
