On Sat, Feb 28, 2009 at 12:40 PM, Jean-Francois <jfsimon1...@gmail.com> wrote: > Hi, > "And I totally agree with you, Mixing firewall services with services > like Web or file/print services is a recipe for disaster." > > True since hacking the web server is entering the firewall itself. > But the web server, httpd, is chrooted ... so why would there be a > problem here ?
Because security is never absolute. It is a matter of probabilities, measuring cost against risk, reducing possible attack vectors, and minimizing the effects of a successful attack. In practice, it means following redundant best practice with the assumption that there is a flaw in the system somewhere, so you're going to put as many layers of obstacles as possible between yourself and your attacker. A very simple example is host-based firewalls and network-based firewalls. You use both so that your attacker has that much more protection to wade through before actually getting to your important stuff. Maybe they'll get frustrated and move on. If nothing else, you'll have that much more time to notice the attack in progress. You could probably run your web and file server on your firewall and never have a security breach. Probably, because if you're running all that on the same machine, it's clear you're not a high profile target. The most you'll probably see is SSH brute force attacks and some clumsy attempts at SQL injection. But "probably" is cold comfort if someone exploits a flaw in your web app, gains a local shell (chrooted though it may be), and then leaps to one of your local machines. Or discovers a flaw in the chrooting system. Or finds an exploitable app available in the chroot. Or DOSs your firewall. Or just installs a little app there that adds your firewall/file/web server to their botnet. Or manages to force your internal interface into promiscuous mode. Or... Get the idea? Ultimately, it's up to you. Your firewall is there as a first-line of defense against malicious attacks. Opening additional attack vectors on this machine is a bad idea. Locating your most likely point of failure (your web app) on a machine with unrestricted access to your internal data is a bad idea. But if your data is worth less to you than a second old PC and a couple hours to setup 4.4 and PF, then by all means, run everything on the same box. -HKS
