[PLUG] Running firewall and services on one box?

Richard Langis richard.langis at sun.com
Wed May 1 17:48:04 UTC 2002


If a hacker breaks into the firewall, you're vulnerable from the very second 
he gets access.

If you have a second box that runs the services, he at the very *least* has to 
crack that box as well.  This will give you some time - and with the right 
intrusion detection software running on the firewall, that little bit of time 
might save your data AND your ass.

To be fair, I'll admit that I have my home systems setup the way your manager 
suggests.  A lot of my data is stored on my firewall - but this was mainly 
because at tht time I set it up, I didn't HAVE another box to use.  I do now, 
but I'm loathe to tear it all down since it works so wonderfully.  :)

However, a cheap, yet reliable pentium or even 486 box for a firewall 
shouldn't put you back any more than $100, and that's if you eBay it.

But, it's your data...

-R

Alex Daniloff wrote:

> Hello linux folkz,
> I'm apologize for a such stupid question, but my dept. manager didn't
> approve additional spendings for firewall hardware even el-cheapo
> pentium PC.
> He insists to run firewall on the same box with Web, DB, NFS and Mail
> servers to cut our department costs.
> So,I need to show him justification why it's dangerouse practice.
> His position on this issue is that using iptables you can separate
> Internet NIC from Intranet NIC, setup NAT and masquerading and put all
> unnessesary ports on Internet interface in stealth mode.
> All nessesary services for internal network will be provided on the
> Intranet NIC separately from Internet NIC.
> If a hacker breaks through the firewall into DMZ (Web, DB, Mail)
> server will become volnureable in any way. 
> So he doesn't see a point to separate firewall from other servers.
> 
> Could somebody please provide an explanation about this issue or point
> to the source of information, so I can show it to my staborn manager.
> Thank you very much in advance.
> 
> Alex
> 
> 
> 
> 
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
> 
> 



-- 
s u n  m i c r o s y s t e m s

   ~ Richard Langis Jr. ~
   richard.langis at sun.com





More information about the PLUG mailing list