Mailinglist Archive: opensuse-security (685 mails)

< Previous Next >
Re: [suse-security] RFC: Network Setup
  • From: Markus Gaugusch <markus@xxxxxxxxxxx>
  • Date: Tue, 5 Feb 2002 08:17:33 +0100 (CET)
  • Message-id: <Pine.LNX.4.43.0202050806360.8479-100000@xxxxxxxxxxxxxxxxxx>
> Example:
> 1 Firewall
> 1 Mailserver
> 1 Proxy
>
> Firewall has 3 NICs:
> 1 connected to the internet showing no open ports
> 1 connected to the DMZ showing no open ports
> 1 connected to the administrative IP network providing SSH
This is ok (anything else wouldn't work ;)
>
> Mailserver has 2 NICs:
>
> 1 connected to the DMZ providing SMTP-service
> 1 connected to the administrative IP network providing SSH
No - The mailserver needs only one. The firewall can allow access to the
ssh port of the mail server only from the administrative network. To
provide further safety, the mailserver itself should check source ip, too.
The problem with your setup is, that IF someone hacks your mailserver,
access to the adminstrative network is gained, with no barriers in
between!

> Proxy has 3 NICs:
> 1 connected to the DMZ showing no open ports
> 1 connected to the LAN providing several proxy services
> 1 connected to the administrative IP network providing SSH
Same as above, one or max. two NICs are enough. If you don't care about
people circumventing your proxy (or you have all ports blocked, so people
must use it), one is enough (on the LAN side). The proxy should then be
allowed to go outside (masquerading).
Of course, ssh only works, if you have access to the LAN from the
administrative network, and allow only access from a specific IP/maybe MAC
address. If not, you will surely need a second NIC.
But remember: the more links you have, the more can be a weakness! Use as
little cross-links as possible - the weakest link will break first, and If
you have a lot of links, this is harder to handle!

regards,
Markus Gaugusch
--
_____________________________ /"\
Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign
markus@xxxxxxxxxxx X Against HTML Mail
/ \



< Previous Next >
Follow Ups
References