2009/10/24 <[email protected]>: > I would choose 3. But on a side note you can setup base so that they are > talking to a specific ip also with the web interface. So even if on the dmz > still only visible to specified ip and port.
Glad you think 3 is good as well. I agree, if I put it on the DMZ then I'd configure apache and mysql to be locked down as tightly as possible. Robin > Brett Hoff > Senior IT Security Engineer Antler,Inc. > Sec+,Linux+,RHCT,GCFA > > -----Original Message----- > From: Robin Wood <[email protected]> > Date: Sat, 24 Oct 2009 16:08:30 > To: PaulDotCom Mailing List<[email protected]> > Subject: [Pauldotcom] network architecture question > > I've put together a small network with a bunch of VMs running on a > single host. As all the VMs talk through the host machine I've made > that as a kind of DMZ. I've got Snort running on it and want to use > BASE as well. I want BASE to be only accessible from inside the > network. My architecture question is, where do I install the web and > db server? > > My options are: > 1. db and web server on a VM and have db listen on port so Snort can > report into the database > 2. db and web on the DMZ > 3. db on the DMZ and web on another machine. > > With 1 both db and web are tucked away on their own machine so the DMZ > is only running the minimum of servers, the bad side is having a hole > through to db gives an in to that machine. > With 2 no other machines are exposed but I'm running extra software on > the DMZ and the more things running the potentially weaker it is > With 3 the other machine is reaching out to the database so there > doesn't need to be any inbound holes to the web machine but the DMZ is > running the extra service. > > Which of these three options is best? I think I prefer number 3 as the > internal machine doesn't need any inbound holes but can still collect > data from the db. > > I know in this isn't a real DMZ and if the host is compromised the > whole thing falls so this is more of a thought exercise. > > Opinions please. > > Robin > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
