Re: DSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Grouping the types of services you mentioned on one box makes sense. 
Having your main email server, DNS, file shares etc on the same box as
your firewall is IMHO asking for trouble.  And trying to run video and
audio editing packages as well as your personal email client and X on
the same box as the firewall is what I consider a problem waiting to
happen.  The edges of your network need to be hardened as much as
possible.  Keeping user applications behind the firewall is what should
be done.  Putting security applications on the firewall is what it is
for.

If I had not had a DBA wipe out a file system while doing an oracle
upgrade which in turn knocked out email services for the entire
department as well as web services and Lotus notes on that box I would
probably be happy to put all kinds of stuff on a box.  But including
those kinds of applications on a firewall is in my book a major no no.  

In my case this box was not used as a firewall but if it had been then a
major portion of the organization would have been off the Internet as
well.

This may be one of those items where if you have not been there at 11pm
and go the t-shirt you may not think it a big deal. 

My main point is the firewall should (and must be in IMHO) a dedicated
security box.  If that box fails or is compromised anything behind it is
potentially in jeopardy.  Running squid or VPN on  that box can be part
of your security and would be acceptable.

And I do agree with you there are many ways to accomplish the same
thing.  
 
On Tue, 2003-07-22 at 01:01, Joe wrote:
> Scot L. Harris wrote:
> 
> >I concur completely with your statements.  While it is possible to
> >configure a linux system to act as your firewall such a system must be
> >hardened as much as possible.  To me that means you don't load anything
> >but the bare minimum of packages needed to perform the firewall function
> >and disable all ports that are not required by the firewall.  And such a
> >system must be monitored constantly for any signs of tampering.  One of
> >the low cost hardware firewalls, such as linksys, netgear, or any of the
> >others provides a dedicated box that performs its function well. 
> >
> That's not the case if you want anything more than a simple, low 
> performance nat box -
> 
> > Keep
> >your linux system on the inside were you can load any of the latest
> >packages or tools that you want to play with knowing that you are
> >protected fairly well by the dedicated firewall. 
> >
> bah - I have several linux systems on the inside - but the firewall is 
> linux too,  no need for anything else.
> 
> In a bigger shop, the boxes tend to be a bit more specialized - but even 
> then linux tends to be used for multiple things - for instance the 
> firewall is often the squid proxy and vpn server as well...
> 
> >
> >And as you pointed out your entire network is not deprived of Internet
> >access when you want to reboot your machine after applying the latest
> >kernel patch (once you can get it downloaded). 
> >
> 
> (?) you don't have to shut down the firewall/network to run up2date...
> 
> >Or after you have
> >applied that latest patch and your system becomes unstable you will
> >still be able to access the network with another box to get the
> >information needed to get the system back in operation.  
> >
> 
> I dunno, I just don't seem to have these problems with linux - as for 
> reboots, the box is down for maybe 30-45 seconds, once in awhile for a 
> kernel update - that's easy to work around, just schedule the boot to 
> the new kernel wisely.
> 
> >
> >This is not to say that the cheap firewalls are fool proof but because
> >they are so simple there is not much that can go wrong with them.  And
> >while I have built many servers with lots of services loaded on them I
> >still believe utilizing dedicated machines for critical functions is the
> >best way to go.  When something goes wrong it is much easier to trouble
> >shoot a machine that has just one or two major functions than one that
> >runs email, dns, ntp, oracle, apache, samba, print services, file
> >sharing, lotus notes (built 43 of these beasts at one job with all that
> >stuff).  And when that machine goes south only a couple of parts of your
> >enterprise is affected instead of every major service. Also makes it
> >easier to get those services up and running on a temporary machines
> >quickly.
> >
> Different strokes for different folks I guess - your ideas do have some 
> merit, but we prefer the server consolidation approach - rather than the 
> windows approach of multiple dedicated boxes, we leverage the strengths 
> of linux by loading a small number of linux boxes with a lot of work - 
> and linux does it all gladly, without complaints and without downtime - 
> and with excellent performance.
> 
> 
> Joe
-- 
Scot L. Harris <webid@xxxxxxxxxx>


-- 
Shrike-list mailing list
Shrike-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/shrike-list

[Index of Archives]     [Fedora Users]     [Centos Users]     [Kernel Development]     [Red Hat Install]     [Red Hat Watch]     [Red Hat Development]     [Red Hat Phoebe Beta]     [Yosemite Forum]     [Fedora Discussion]     [Gimp]     [Stuff]     [Yosemite News]

  Powered by Linux