Re: [Vserver] Proxy, DMZ

Tue, 21 Sep 2004 15:15:21 -0700 

Hi.


> > Is it possible to set up the equivalent of a LAN with a DMZ and
> > a "secure" part, all within a single physical machine (with a 
> > single network adapter)?
> 
> yes, it is possible, but it does only make limited
> sense if you are concerned about security ...

(1)
What is the exact difference, security-wise, between a single host
and two hosts physically separated by a network wire (assuming that
the Internet access point is secured by same SW (netfilter) firewall
rules)?


> sorted by increasing security IMHO:
> 
>  - single host, firewall, services, enduser, 1nic
>  - single host, firewall, vservers (services), 1nic
>  - single host, firewall, vservers (services, enduser), 2nic
>  - separate firewall, 2nic (services), 2nd-host enduser
>  - separate firewall, 2nic, 2nd-host (services), enduser
>  - separate firewall, 2nic, 2nd-host vservers (services), enduser
> 

(2)
Is the following what you mean by the last configuration summary given
above (the most secure):

Internet <----> [ (nic1) H1 (nic2) ] <----> [ (nic3) H2 ]

So, H1 is the firewall host, and H2 the internal, secure, host where
vservers run.


(3)
If (2) is the actual setup, can it be arguably considered as secure as 
a LAN and DMZ, physically different, like the following:

                [           (nic2) ] <----> [ (nic3) H2 ]
Internet <----> [ (nic1) H1        ]
                [           (nic4) ] <----> [ (nic5) H3 ]

where H2 (DMZ) would run vservers for applications like a web server,
and H3 (secure LAN) would run vservers like a database.


(4)
With a physical setup as in (2), is it possible to use the vserver
capacity in order to "simulate" (3)?  [E.g. to have 2 "virtual" 
subnets inside H2, one of which would be the DMZ.]

I've read the previous thread about "DMZ and vserver", but I didn't
get what was the final proposal (physical setup, virtual zones...)
An actual example would be welcome.


Thanks,
Gilles

P.S. I can't seem to be able to subscribe to the ML, I get a
"Bug in Mailman version 2.1.4 -- We're sorry, we hit a bug!"
page. [Yesterday, I sent a message to the list owner.]
_______________________________________________
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Reply via email to