Mailinglist Archive: opensuse-security (685 mails)

< Previous Next >
RE: [suse-security] RFC: Network Setup
  • From: "Reckhard, Tobias" <tobias.reckhard@xxxxxxxxxxx>
  • Date: Tue, 5 Feb 2002 08:26:48 +0100
  • Message-id: <96C102324EF9D411A49500306E06C8D1A56D1B@xxxxxxxxxxxxxxxxx>
> As we are all concerned about security and don't like
> unnecessary work,
> there usually is some kind of SSH Service on all the
> machines, which means
> just one more open port to be attacked on.
>
> The idea: Add another network interface to each box in the
> DMZ and put them
> into a private IP-network. Use this network for
> administration purpose only.

[snip]

> Would this setup provide any benefit regarding security,
> provided that there
> is proper configuration?

Yes, of course it would, since you're separating the path of administrative
access from the more or less public production infrastructure physically.
Physical separation is always more secure than logical separation, by the
very principle.

In fact, I often recommend this type of architecture, though it is often too
late and many shops find it too cumbersome to not be able to perform system
administration from their desktop in the private LAN. The sysadmin network
is the logical place to put syslog, backup, NTP and other servers as well,
which serve your DMZ machines but needn't (and shouldn't) be accessible to
others.

You achieve even more security by employing point-to-point links between the
DMZ machines and the those in the management network. Since this becomes
impractical quickly if performed based on physical distinction, I often
recommend the use of end-to-end IPSec within the management network.

NB: The sysadmin network must not be connected to the internal network.

Tobias

< Previous Next >
Follow Ups