I would choose 3. But on a side note you can setup base so that they are talking to a specific ip also with the web interface. So even if on the dmz still only visible to specified ip and port. Brett Hoff Senior IT Security Engineer Antler,Inc. Sec+,Linux+,RHCT,GCFA
-----Original Message----- From: Robin Wood <[email protected]> Date: Sat, 24 Oct 2009 16:08:30 To: PaulDotCom Mailing List<[email protected]> Subject: [Pauldotcom] network architecture question I've put together a small network with a bunch of VMs running on a single host. As all the VMs talk through the host machine I've made that as a kind of DMZ. I've got Snort running on it and want to use BASE as well. I want BASE to be only accessible from inside the network. My architecture question is, where do I install the web and db server? My options are: 1. db and web server on a VM and have db listen on port so Snort can report into the database 2. db and web on the DMZ 3. db on the DMZ and web on another machine. With 1 both db and web are tucked away on their own machine so the DMZ is only running the minimum of servers, the bad side is having a hole through to db gives an in to that machine. With 2 no other machines are exposed but I'm running extra software on the DMZ and the more things running the potentially weaker it is With 3 the other machine is reaching out to the database so there doesn't need to be any inbound holes to the web machine but the DMZ is running the extra service. Which of these three options is best? I think I prefer number 3 as the internal machine doesn't need any inbound holes but can still collect data from the db. I know in this isn't a real DMZ and if the host is compromised the whole thing falls so this is more of a thought exercise. Opinions please. Robin _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
