On 2 Oct 2003, Ryan Madison wrote:
> I have found myself faced with the task of updating the
> configuration of our infrastructure servers. Currently, my boss likes to
> mount /var/mail from our primary mail server onto his workstation. I
This particular issue could be handled by using fetchmail or rsync to
bring mail from the MTA box to a strictly internal host which is safer to
mount with NFS or CIFS.
> I guess my general question is: What are some suggestions on
> setting up a unix/linux infrastructure, providing ssh, web, dns, mail,
> and ftp services to the Internet, and providing nfs, cifs, dhcp, bootp,
> rarpd, and mail services for our internal office network in
> non-routeable ip space. Oh, and this needs to be done while striking a
> good balance between maintaining security, and useability.
There's no easy answer for a question like this. By definition, security
is a trade-off between usability and safety, with a point of diminishing
returns. Best-practices require heavy segregation and least-privelege
configuration for everything. In reality, most businesses opt for
something in the middle.
As a rule of thumb, you shouldn't be running *any* external services
inside your corporate network. Each one should be in a DMZ (shared or
private--ideally private), and treated as a bastion host and locked down
accordingly. Ingress and egress filtering should be heavily applied to
the DMZ, and all traffic and hosts monitored for suspicious activity.
My recommendation, though, is that you guys should do a formal assessment
so that you have some idea of the cost-benefit ratio of whatever
architecture you decide to go with. I've seen a lot of security
initiatives fail because adequate planning and budgeting weren't done
first. Worse yet, sometimes the new architectures end up being more
vulnerable than the old ones.
To paraphrase Bruce Schneier, badly done security is worse than none at
all, because it leads to a false sense of confidence. Always know what
you're engineering for, and what you are leaving to fate. :)
--
"We don't condone copyright infringement, but it's time for the RIAA's
winged monkeys to fly back to the castle and leave the munchkins alone."
-=- Adam Eisgrau, P2P United
_______________________________________________
RLUG mailing list
[EMAIL PROTECTED]
http://www.rlug.org/mailman/listinfo/rlug
