-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, 1 Aug 2005, /dev/rob0 wrote:
R. DuFresne wrote:
that I am also trying to run Apache on the box that is doing the NAT
translation rules. Is it possible to run a web server on the same box
that is performing the translations?
doable, but not adised, a firewall should be single purpose, most servers
should be single purpose where possible. But then this is not often the
case. But a firewall certainly should be a single purpose system much
like a router is, they do similair work anyways.
I quite agree that this is the best practice. However in the real world it's
not something about which I am dogmatic. Most of my firewalls have at least
one service running in addition to sshd. (All are running sshd. Many are
running httpd and an MTA.)
I don't feel bad. :) In any security decision you should consider the threat
model. My main concern is in keeping the open services patched, and it's the
same regardless of whether they're running on the firewall or in a DMZ.
This is true, but if the services run in the dmz, there is far less a
threat to the soft cneter network if they get hit <the DMZ services>. If
run on the FW and you seen not the vuln in the lists, are too busy to
patch if you saw it, or something else interfieres, you are more liely to
toast more then a singe services server on the outside.
Thanks,
Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFC7vo/st+vzJSwZikRArS1AJ0adtqWnLe9z6bKJH6qGAl31RpRJgCgx0vD
cRWdKwbSlq9ZPzoHmUVRk5Q=
=Ta+p
-----END PGP SIGNATURE-----
