Hi Dave,
I think you can put a filtering bridge between your subnet and the router
from your ISP. So the network will look like:
--web server
/--mail server, etc
router---filtering bridge---hub---router/firewall for internal network
This way, you don't have to expose your web server etc directly to the
outside world and also save the hassle of seting up IP NAT for DMZ.
For setting up a filtering bridge, see this link:
http://www.obfuscation.org/ipf/ipf-howto.txt
Pay attension to section B.2. This howto is mainly for OpenBSD which is very
suitable for firewalling purpose. It should be easy to setup if you know how
to setup a firewall for linux.
The security risk of exposing more machines directly is that if one machine
is compromised, the hacker will be able to see the traffic between DMZ
(well, no DMZ in this case) and your internal network and perform further
attack.
Also, never use plain old telnet. Use ssh or ssl-telnet.
Good luck,
Dennis
> -----Original Message-----
> From: Dave Harms [SMTP:[EMAIL PROTECTED]]
> Sent: Monday, December 13, 1999 6:14 PM
> To: Firewall mailing list; Dave Harms
> Subject: Question on firewalling strategies
>
> I have a couple of questions about firewall strategies. I currently
> have a single Linux box doing duty as a web, mail, ftp, and news
> server, and it's also a firewall and masquerading for an internal
> network. It's time to break that functionality down into several
> machines, for various reasons. I have a 16 address subnet. I initially
> thought about using a three-homed machine along the lines of the
> "serious example" at the end of the ipchains how-to. But having a
> single point of entry/exit, while making security administration
> easier, seems to me to introduce a weak point as well. If the
> three-homed firewall goes down, I lose all services.
>
> Instead I've been thinking about just exposing the various
> mail/news/web servers and locking each down appropriately with
> ipchains, and allowing telnet and a few other services throughout the
> subnet for ease of maintenance. What's the better strategy? By exposing
> more machines directly am I increasing my security risk significantly?
> Or am I better protecting the network by only giving away a smaller
> piece of the pie if I do get hacked? Root passwords are different for
> all machines.
>
> Thanks for your help,
>
> Dave
>
> Dave Harms
> [EMAIL PROTECTED]
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
