RE: Where to place public servers

[mouss <usebsd@free.fr>]

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

depends on your "paranoia" level.

with the scheme below, your firewall is accepting incoming packets (going to
webservers)
which are not initiated by outgoing requests. And this introduces a risk, be
it theoritical.

For this reason, some people prefer to put the "public" servers in the
outside and then
- either consider them as sacrificed
- or set up another firewall to protect them. this however has a cost.

I pesonally prefer to configure the corp firewall to only allow outgoing
traffic. the config is
smple and I don't have to play with rules that depend on dest addresses,
ports and the such.
moreover, what is gained from a firewall if my server is completelly public?
not much if the server
is well configured. for example, the server might be running tcp_wrappers
and configured as a host (instead of gateway)
with all the unnecessary services disabled. Then it does not need a
firewall. you could argue that then it is configured as a firewall. I do not
need the same level of protection for this server and for my private hosts,
which may be running
"unsecure" systems and used by users whose job is not to ensure the security
of the site.
[since I am not a fw admin, my claims may be biased though]

I would say that as for any question, the right answer, if one exists,
depends on what you want.

mouss


John Adams wrote
>
> Everything behind the firewall, regardless of purpose.
>                       +-------------- eth1   webservers
> outside eth0 -----[firewall]
>                       +-------------- eth2   inside
>
> Protect everything, trust noone. Also place a router prior to this to do
> ingress filtering.
>
> -j


-
[To unsubscribe, send mail to majordomo@lists.gnac.net with
"unsubscribe firewalls" in the body of the message.]