Mailinglist Archive: opensuse-security (685 mails)

< Previous Next >
Re: [suse-security] RFC: Network Setup
On Tuesday 05 February 2002 09:23, Stefan Nauber wrote:

> thanks for your replay. You advised me of not connecting the administrative
> network to the normal LAN. I understand that there is a security risk but
> this was, what I actually wanted to do. The idea was, that I wanted to
> administer the computers from my desktop without interference with the
> productive traffic.

Personally I think it's a good idea, and Dlink made some 4 port 100BaseT
cards which were very useful for this sort of purpose. This kind of backend
network should also use an ether switch if at all possible, they cost little
more than hubs, and reduce eavesdropping possibilities even further.
Furthermore using 4 port cards, additionally allows things like web server to
communicate with backend databases or file servers using a seperate server
network, at little extra cost (and co-located rackspace is cheaper without IP
address or traffic allocation).

The hosts in the DMZ, should not route packets between the networks, and
should only permit admin access through the admin host 'bastion' on that
network, and the administration network should not be trusted by that admin
host, packet filtering should be in place.

Any probing causing packets to be dropped, in that admin network should
trigger some immediate, and heavy attention.


< Previous Next >