|
Posted by markp on January 15, 2005, 11:33 am
If you were Registered and logged in, you could reply and use other advanced thread options
Hi all,
I'm thinking of adding a linux based firewall to my home network, probably
on a mini-itx machine. I also need an email server and a file server that
can be accessed via a VPN.
Is it better from a security point of view to have physically separate
machines for the firewall and servers, or can these be in the same physical
machine without compromising security? I've heard that physically separating
them is good practice, but is there a genuine security reason or is this
just a maintenance issue?
Thanks!
Mark.
|
|
Posted by James Knott on January 15, 2005, 8:12 am
If you were Registered and logged in, you could reply and use other advanced thread options
markp wrote:
> Is it better from a security point of view to have physically separate
> machines for the firewall and servers, or can these be in the same
> physical machine without compromising security? I've heard that physically
> separating them is good practice, but is there a genuine security reason
> or is this just a maintenance issue?
Firewalls should not be running anything not related to the firewall
funtion. The more you install or run, the greater the possibility of a
security risk. Ideally, you'd even forward vpn and ssh access to another
box, rather than allow it on the firewall.
|
|
Posted by Wolfgang Kueter on January 15, 2005, 1:12 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Is it better from a security point of view to have physically separate
> machines for the firewall and servers,
Yes.
> or can these be in the same
> physical machine without compromising security? I've heard that physically
> separating them is good practice, but is there a genuine security reason
> or is this just a maintenance issue?
Yes, there is a genuine security reason and that reads: 'Run as few (public)
services as possible on a security device!' For any service offered by the
box sooner or later an exploit might be found. What is not there cannot be
exploited. Best is to run _no_ services on a firewall at all.
On the contrary more machines means more neccessary effort for
administration (installing patches, hardware maintainance etc.).
Wolfgang
|
|
Posted by Tim Haynes on January 20, 2005, 11:32 am
If you were Registered and logged in, you could reply and use other advanced thread options
[snip]
> It has always been my intent to re-open some remote connections, so I can
> get to my machines at work or when travelling. I haven't gotten around to
> it yet, so I have a hardware firewall and behind that a dual- homed
> server that can be turned into a secondary firewall.
>
> Any comment on using a combination of secondary firewall that also
> provides home lan (no external) services? If/when I allow any sort of
> external connection, it will probably only be a filtered OpenVPN
> endpoint.
I've recendly moved, and shuffled the networking arrangements around thus:
outside world <- ADSL router <- linux box <- LAN boxes
<- Wifi router
<- mac desktop
linux box, in this case, used to be the primary firewall; now that's done
mostly on the ADSL router. I'm running rsync (for backups and gentoo
portage), dns and mail servers on the linux box, all internally visible
only. Can't say I have a major problem with it on the security front, it
fits my needs just fine. I'd be more worried if the box were the primary
firewall, but even so, I trust my ability to configure things to listen
only on the internal interfaces, and iptables, enough to risk it for home
purposes.
~Tim
--
CREMATORIA have been ordered to halve |piglet@stirfried.vegetable.org.uk
the amount of toxic mercury released |http://pig.sty.nu/
into the atmosphere from tooth fillings. |
- random news from The Scotsman |
|
| Similar Threads | Posted | | New machine in DMZ not responding | October 13, 2008, 7:12 pm |
| The machine died and came back | November 14, 2004, 2:53 am |
| Repeated access attempts from my machine to 0.0.12.0:137 | February 8, 2005, 10:05 pm |
| What Port is Opened on My Local Machine | October 30, 2006, 11:45 am |
| wireless router hacked - "machine name" ...? | May 2, 2007, 9:08 pm |
| Vista machine attack on DNS system | March 3, 2008, 7:11 am |
| Creating a loopback rule for all IP's bound to a machine? | January 20, 2006, 6:06 am |
| PIX firewalling web servers | July 23, 2004, 4:06 pm |
| Re: PIX firewalling web servers | July 26, 2004, 10:35 am |
| 5XP Virtual Servers AND SSH | August 3, 2005, 6:29 pm |
|
XML site map