On Wed, Sep 22, 2004 at 12:17:41AM +0200, Gilles wrote: > Hi. > > > > > Is it possible to set up the equivalent of a LAN with a DMZ and > > > a "secure" part, all within a single physical machine (with a > > > single network adapter)? > > > > yes, it is possible, but it does only make limited > > sense if you are concerned about security ... > > (1) > What is the exact difference, security-wise, between a single host > and two hosts physically separated by a network wire (assuming that > the Internet access point is secured by same SW (netfilter) firewall > rules)?
- the firewall will not have open ports for services on the second host - somebody aby to crack the firewall, has to do similar for the second host ... - services provided on the separate host do not leak to the outside > > sorted by increasing security IMHO: > > > > - single host, firewall, services, enduser, 1nic > > - single host, firewall, vservers (services), 1nic > > - single host, firewall, vservers (services, enduser), 2nic > > - separate firewall, 2nic (services), 2nd-host enduser > > - separate firewall, 2nic, 2nd-host (services), enduser > > - separate firewall, 2nic, 2nd-host vservers (services), enduser > > > > (2) > Is the following what you mean by the last configuration summary given > above (the most secure): > > Internet <----> [ (nic1) H1 (nic2) ] <----> [ (nic3) H2 ] > > So, H1 is the firewall host, and H2 the internal, secure, host where > vservers run. yes, and where the enduser is on a separate host H3 in the same (or even separate) entwork than H2 > (3) > If (2) is the actual setup, can it be arguably considered as secure as > a LAN and DMZ, physically different, like the following: > > [ (nic2) ] <----> [ (nic3) H2 ] > Internet <----> [ (nic1) H1 ] > [ (nic4) ] <----> [ (nic5) H3 ] > > where H2 (DMZ) would run vservers for applications like a web server, > and H3 (secure LAN) would run vservers like a database. if H2 is the only user of H3 then it would be 'more' secure to use something like this: Internet <---> [nic1 H1 nic2] <---> [nic3 H2 nic4] <---> [H3] > (4) > With a physical setup as in (2), is it possible to use the vserver > capacity in order to "simulate" (3)? [E.g. to have 2 "virtual" > subnets inside H2, one of which would be the DMZ.] yes, but it can be considered less secure than a separated setup with vservers (IMHO) ... > I've read the previous thread about "DMZ and vserver", but I didn't > get what was the final proposal (physical setup, virtual zones...) > An actual example would be welcome. hmm, well, I'm no security expert and vserver setups really depend on the _setup_ (similar to firewalls) you can have one which doesn't provide you anything, regarding security ... I'll see, amybe I get around depicting some example setups ... anyway discussion of those issues is appreciated I'd say, so let's keep the talk going ... best, Herbert > Thanks, > Gilles > > P.S. I can't seem to be able to subscribe to the ML, I get a > "Bug in Mailman version 2.1.4 -- We're sorry, we hit a bug!" > page. [Yesterday, I sent a message to the list owner.] which should help (as written on the wiki) > _______________________________________________ > Vserver mailing list > [EMAIL PROTECTED] > http://list.linux-vserver.org/mailman/listinfo/vserver _______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
