On Wed, Sep 22, 2004 at 11:05:15PM +0200, Gilles wrote: > Hello. > > > [...] > > ... anyway discussion of those issues is > > appreciated I'd say, so let's keep the talk going ... > > > > Fine :-) > In fact, I'd like to understand what is the minimal hardware > configuration, necessary to build a "complete" IT infrastructure, > i.e. that would at least comprise services such as > - file > - web > - mail > - database > - backup > > The aim is to be able to propose a "full-featured" solution to > small organizations, which have limited resources, and be able > to emphasize a level of security similar to the expensive solution > where each server would be on its own physical box. > > E.g. if 5 people work with a computer each, it might be difficult to > get them buy twice as many computers... > > I imagined that the minimum would be 2 extra computers: one for the > firewall (H1) and the other for the services (H2). > > [ (nic2) ] <----> [ (nic3) H2 ] > Internet <----> [ (nic1) H1 ] > [ (nic4) ] <----> [ (nic5) H3 ] > [ (nic6) H4 ] etc. > > H3 to H8 would be the 5 end-user machines, on a different subnet than > H2 is on.
okay, this gives me a better picture of the desired setup, and in this case I'd opt for the following (maybe unconventional?) setup: Internet <---> [nic1 H1 nic2] <---> [nic3 H2 nic4] <---> H3,H4,H5 ... with a border firewall on H1 and a simple firewall and proxy solution on H2, a single vserver on H1 with CAP_NET_ADMIN and vservers for each service on H2. why? because! no seriously, IMHO this would allow to do the following things in a secure way: - in office traffic between hosts - controlled usage of the services on H2 from inside - double checked services to the outside - monitored firewall, only the single vserver is communicating with the internet (e.g. tripwire is running on the host) ... - firewall host only reachable from inside - no issues on service maintenance, just close the service on the border fw - a second layer of protection from vservers for the services and the firewall stuff - ... HTH, Herbert > But it can be objected that H2 shouldn't host both the public (e.g. web) > and the private (e.g. database) services. > > So, I was wondering: > Is it possible to have "virtual" networks inside H2? If yes, how? > Even if it is possible, if each service on H2 runs inside its own vserver, > is it necessary to have a virtual DMZ? > Would it be enough if each service is configured to listen to its IP address > only? > Are there obvious security threats? > > > > > P.S. I can't seem to be able to subscribe to the ML, > > I'm subscribed now. > > > Best regards, > Gilles > _______________________________________________ > Vserver mailing list > [EMAIL PROTECTED] > http://list.linux-vserver.org/mailman/listinfo/vserver _______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
