Mailinglist Archive: opensuse (2008 mails)
| < Previous | Next > |
Re: [opensuse] Public IP Webserver behind SuSEfirewall2 & FW_MASQUERADE
- From: Anders Johansson <ajohansson@xxxxxxx>
- Date: Sun, 19 Apr 2009 18:26:09 +0200
- Message-id: <200904191826.09901.ajohansson@xxxxxxx>
On Sunday 19 April 2009 18:08:10 LLLActive@xxxxxxx wrote:
Normally you do put the data in the DMZ. Enough for your web needs, at least.
Your main database can then be on the internal network, and your DMZ then has
a data pump to feed it, in some fashion. Ideally this would be a "push only"
connection, with no inbound connections allowed at all, so that the internal
server synced with the external machine regularly through some data transfer
protocol.
For optimal security, there would be no connection to the internal network
allowed at all, in either direction. The data would then be synced manually,
perhaps by copying it on a USB device. It all depends on how much effort you
want to go to, how much your security is worth. Very high security requires
effort.
Anders
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
Yes, I thought of that. Maybe using separate NIC's between the two
machines in a separate private network all by themselves will do. If the
webserver is compromised, the all is also comprimized.
Just how does one get such a setup secure, without putting your data in
the DMZ?
Internet -- firewall 1 -- DMZ with Webserver -- firewall 2 -- Database
server
Normally you do put the data in the DMZ. Enough for your web needs, at least.
Your main database can then be on the internal network, and your DMZ then has
a data pump to feed it, in some fashion. Ideally this would be a "push only"
connection, with no inbound connections allowed at all, so that the internal
server synced with the external machine regularly through some data transfer
protocol.
For optimal security, there would be no connection to the internal network
allowed at all, in either direction. The data would then be synced manually,
perhaps by copying it on a USB device. It all depends on how much effort you
want to go to, how much your security is worth. Very high security requires
effort.
Anders
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
| < Previous | Next > |