RE: [suse-security] AW: Squid on Firewall?
Re Daniel.
yes, your are right! getting compromised by a client applications isn't good indeed...;-)
It sure ain't. :-)
but that wasn't my hint about this topic. my idea is to separate your system into two ones: first you have a hardened firewall-system without any programm running on it. second there is a proxy-server behind the wall with "your" application proxies.
So you mean a pure packet filter when you say 'hardened firewall-system'? I call that a packet filter. :-) Yes, it generally makes sense to have a packet filter as the point of entry to your network. However, there are a couple of possible architectures. Quoting from the book I named: 1. Single-box architectures: screening router, dual-homed host. 2. Screened host architectures 3. Screened subnet architectures 4. Architectures with multiple screened subnets: split-screened subnet, independent screened subnet 5. Variations on firewall architectures If what you're proposing is a packet filter up front and a proxy in the internal network, then you have a screened host architecture. A screened subnet architecture, in which the screened subnet is referred to as a DMZ, is more common in the corporate world. Most Linux home users use a single box, either as a screening router (if they only use ipchains) or, if they're running (some) proxies on the box, as something you could term a hybrid between a screening router and a dual-homed host, or a collapsed DMZ. The latter is the setup described by the initiator of this thread. It is stupid, yes, not to perform packet filtering on a proxy that is part of a firewall system, if you can. However, of course you'll have programs running on the packet filter as well. First, there's the kernel. Then you've probably got syslogd and crond running. Unless you're performing administration from the console only, you'll probably have sshd running. Cheers, Tobias
On 28 Mar 2001, at 8:08, Reckhard, Tobias wrote:
However, of course you'll have programs running on the packet filter as well. First, there's the kernel. Then you've probably got syslogd and crond running.
A DHCP client is more likely. I would not have crond, the only thing it had to do on such a computer is to ratate/compress logs, that implies read write and delete rights to log files and that is the first target for an intruder. Log files are to be append only in multiuser mode, regular backups/logrotate functions are best done in singleuser mode via serial terminal/console.
Unless you're performing administration from the console only, you'll probably have sshd running.
For remote administration a serial line to a modem/ISDN server (callback if possible) is the best thing to combine security with comfort. This can be done and the cost compared to the level of security one can achieve is marginal. And as a bonus, that way you can alter even network configurations off site. By the way, does someone here have ressources of a port of mtree to Linux? TIA mike
participants (2)
-
Reckhard, Tobias
-
Thomas Michael Wanka