binary only lfs system

Steve Crosby sneeble at paradise.net.nz
Sat Nov 23 02:15:00 PST 2002


Ian Molton <spyro at f2s.com> wrote in 
news:20021123095414.6829561c.spyro at f2s.com:

> On Sat, 23 Nov 2002 09:06:59 +0000 (UTC)
> ladislav.danko at acsnet.sk (Ladislav Danko) wrote:
> 
>> hmmm, web server and firewall on the same machine?
> 
> 
> Whats wrong with that? a seperate machine for each task is not any more
> secure...
> 

It depends on your definition of "more secure"...

Consider the following common cable/xDSL setup..

Internet
  |
  |
Firewall/Webserver/SSH/FTP Server
  |
  |
Home Machine(s)

If the web/ssh/ftp server is compromised, the firewall is also 
compromised, and thus the home machine(s) are vunerable to attack without 
the restrictions to services the firewall normally puts in place..

Consider a "more secure" scenario

Internet
  |
  |
Firewall ----- Webserver ----- FTP Server ---- SSH Server ---- etc. (the 
DMZ)
  |
  |
Home Machine(s)

In this situation, a properly configured firewall will prevent a 
compromise of servers in the DMZ from accessing the home machine(s). The 
firewall needs to be configured to deny access to the home machine(s) 
from the DMZ servers to be properly "secure" though.

In addition, it is considered "bad form" to run Internet facing services 
on the firewall itself, simply because this exposes the firewall if any 
of those additional services are compromised.

Clear as mud? *grin*

- --
Steve Crosby
sneeble at paradise.net.nz
-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-support' in the subject header of the message



More information about the lfs-support mailing list