Re: DMZ implementation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi All:
> On Wednesday 20 November 2002 11:16, Paulo Abrantes wrote:
> > Hello all,
> >
> > I have a small home LAN, about 7 computers, and finally
> > I'm getting ADSL installed. Since I'm thinking in providing
> > services, such as ssh and http,

First of all, have you static ip address on adsl? Check this first.
Implement services like that is a big problem if you not have static ip
address. 

> > I'm considering to implement
> > a DMZ. So I can leave those services in the DMZ, and leave
> > my private LAN alone.
> > What I have in mind is something like:
> >
> > Internet <- eth0 -> Gateway with NAT <- eth1 -> Switch for LAN
> >                                      <- eth2 -> DMZ
> >
> > My question is, if it is secure to get my gateway double legged, as
> > shown.
> 
> There's nothing necessarily insecure about this method if where only looking 
> at the set up. It's common enough to do this.
> 
> > Or, should I get a 1st gateway that would NAT my DMZ and inside my DMZ,
> > would just have another gateway that would provide NAT for my private
> > LAN. This one seems more secure, since, if I get my 1st gateway
> > cracked the attacker still has to discover and beat the 2nd one. Though,
> > I do not see anymore advantages...
> 
> Presumably though, both systems would be configured similarly and patched up 
> (an ongoing thing of course!).  In this case, if there was a vulnerability in 
> the first gateway, it would also be in the second gateway. You could 
> alleviate this by running different systems on each gateway, eg. linux and 
> bsd. This makes your life administering your set up harder though.
> 

I'm not so sure about this. First, you can put the same OS on this two
machine without complications, only you may have different rules on the
firewall. You may care on what and from where packets will pass through 
the gateways.

> >
> > Some thoughts and ideas on how should I really implement would be nice.
> >
> 
> I would be inclined to do it the way you intended. If you set up your gateway 
> well, with good firewalling and regular patching, you should be safe from 
> most problems. 
> 

I would be inclined to do it in the other way, but you'll get a bit more
cost (another gateway). In my opinion this is the best choice for
security reasons.

> Security by obscurity is not something to rely on, but if no one is 
> interested in breaking your systems, no one will! By keeping your systems 
> well up to date (applying patches, checking vendor alerts etc.), and learning 
> as much as you can about configuring/securing your system, you will be in 
> good stead if someone does try and break in. 
> 
> 
> 
> > Thanks,
> >
> > P. Abrantes
-- 
David Ruben Elfi
Network and OS Administrator
Cooperativa Obrera Ltda.
Gerencia Sistemas - Zelarrayan 562
Te +54 291 4560084 - Bahia Blanca
          Choose your future. Choose to sysadmin.

------------------------------------------------------------------------
     To unsubscribe email security-discuss-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.


[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux