Grouping the types of services you mentioned on one box makes sense. Having your main email server, DNS, file shares etc on the same box as your firewall is IMHO asking for trouble. And trying to run video and audio editing packages as well as your personal email client and X on the same box as the firewall is what I consider a problem waiting to happen. The edges of your network need to be hardened as much as possible. Keeping user applications behind the firewall is what should be done. Putting security applications on the firewall is what it is for. If I had not had a DBA wipe out a file system while doing an oracle upgrade which in turn knocked out email services for the entire department as well as web services and Lotus notes on that box I would probably be happy to put all kinds of stuff on a box. But including those kinds of applications on a firewall is in my book a major no no. In my case this box was not used as a firewall but if it had been then a major portion of the organization would have been off the Internet as well. This may be one of those items where if you have not been there at 11pm and go the t-shirt you may not think it a big deal. My main point is the firewall should (and must be in IMHO) a dedicated security box. If that box fails or is compromised anything behind it is potentially in jeopardy. Running squid or VPN on that box can be part of your security and would be acceptable. And I do agree with you there are many ways to accomplish the same thing. On Tue, 2003-07-22 at 01:01, Joe wrote: > Scot L. Harris wrote: > > >I concur completely with your statements. While it is possible to > >configure a linux system to act as your firewall such a system must be > >hardened as much as possible. To me that means you don't load anything > >but the bare minimum of packages needed to perform the firewall function > >and disable all ports that are not required by the firewall. And such a > >system must be monitored constantly for any signs of tampering. One of > >the low cost hardware firewalls, such as linksys, netgear, or any of the > >others provides a dedicated box that performs its function well. > > > That's not the case if you want anything more than a simple, low > performance nat box - > > > Keep > >your linux system on the inside were you can load any of the latest > >packages or tools that you want to play with knowing that you are > >protected fairly well by the dedicated firewall. > > > bah - I have several linux systems on the inside - but the firewall is > linux too, no need for anything else. > > In a bigger shop, the boxes tend to be a bit more specialized - but even > then linux tends to be used for multiple things - for instance the > firewall is often the squid proxy and vpn server as well... > > > > >And as you pointed out your entire network is not deprived of Internet > >access when you want to reboot your machine after applying the latest > >kernel patch (once you can get it downloaded). > > > > (?) you don't have to shut down the firewall/network to run up2date... > > >Or after you have > >applied that latest patch and your system becomes unstable you will > >still be able to access the network with another box to get the > >information needed to get the system back in operation. > > > > I dunno, I just don't seem to have these problems with linux - as for > reboots, the box is down for maybe 30-45 seconds, once in awhile for a > kernel update - that's easy to work around, just schedule the boot to > the new kernel wisely. > > > > >This is not to say that the cheap firewalls are fool proof but because > >they are so simple there is not much that can go wrong with them. And > >while I have built many servers with lots of services loaded on them I > >still believe utilizing dedicated machines for critical functions is the > >best way to go. When something goes wrong it is much easier to trouble > >shoot a machine that has just one or two major functions than one that > >runs email, dns, ntp, oracle, apache, samba, print services, file > >sharing, lotus notes (built 43 of these beasts at one job with all that > >stuff). And when that machine goes south only a couple of parts of your > >enterprise is affected instead of every major service. Also makes it > >easier to get those services up and running on a temporary machines > >quickly. > > > Different strokes for different folks I guess - your ideas do have some > merit, but we prefer the server consolidation approach - rather than the > windows approach of multiple dedicated boxes, we leverage the strengths > of linux by loading a small number of linux boxes with a lot of work - > and linux does it all gladly, without complaints and without downtime - > and with excellent performance. > > > Joe -- Scot L. Harris <webid@xxxxxxxxxx> -- Shrike-list mailing list Shrike-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/shrike-list
