[PLUG] Running firewall and services on one box?
Richard Langis
richard.langis at sun.com
Wed May 1 17:48:04 UTC 2002
If a hacker breaks into the firewall, you're vulnerable from the very second
he gets access.
If you have a second box that runs the services, he at the very *least* has to
crack that box as well. This will give you some time - and with the right
intrusion detection software running on the firewall, that little bit of time
might save your data AND your ass.
To be fair, I'll admit that I have my home systems setup the way your manager
suggests. A lot of my data is stored on my firewall - but this was mainly
because at tht time I set it up, I didn't HAVE another box to use. I do now,
but I'm loathe to tear it all down since it works so wonderfully. :)
However, a cheap, yet reliable pentium or even 486 box for a firewall
shouldn't put you back any more than $100, and that's if you eBay it.
But, it's your data...
-R
Alex Daniloff wrote:
> Hello linux folkz,
> I'm apologize for a such stupid question, but my dept. manager didn't
> approve additional spendings for firewall hardware even el-cheapo
> pentium PC.
> He insists to run firewall on the same box with Web, DB, NFS and Mail
> servers to cut our department costs.
> So,I need to show him justification why it's dangerouse practice.
> His position on this issue is that using iptables you can separate
> Internet NIC from Intranet NIC, setup NAT and masquerading and put all
> unnessesary ports on Internet interface in stealth mode.
> All nessesary services for internal network will be provided on the
> Intranet NIC separately from Internet NIC.
> If a hacker breaks through the firewall into DMZ (Web, DB, Mail)
> server will become volnureable in any way.
> So he doesn't see a point to separate firewall from other servers.
>
> Could somebody please provide an explanation about this issue or point
> to the source of information, so I can show it to my staborn manager.
> Thank you very much in advance.
>
> Alex
>
>
>
>
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
>
--
s u n m i c r o s y s t e m s
~ Richard Langis Jr. ~
richard.langis at sun.com
More information about the PLUG
mailing list