On 2003-07-22 Kelly Martin wrote: > On Mon, 21 Jul 2003, Ansgar Wiechers wrote:
[ Running public servers from a home LAN ] > > Do not run servers on firewalls. Just don't. Every service allowing > > inbound connections which runs on your firewall adds a potential > > security breach. > > This is the ideal case, It is, and it's not that hard to achieve. IMHO. > however for smaller networks a server/firewall may be the only > practical route. A stateful firewall (such as pf or iptables) with all > incoming ports blocked except port 80 for httpd, and an administrator > who keeps on top of patches can still be reasonably secure. It may be considered reasonably secure, but I still suggest to avoid it and rather spend a couple $CURRENCY. > As you said, running minimal services is very important. And this is > better than just port-forwarding port 80 to an insecure box on a > private network, IMO. Well, *that* goes without saying. If anyone considers himself totally secure just because of having a router (or even a firewall) between his server and the rest of the world, he'd better stop dealing with servers immediately. > > Small routers (e.g. from Netgear) aren't *that* expensive and I > > don't assume you are going to need a Cisco or something for your > > private LAN. What kind of connection do you have? > > Personally, those cheap (sub $100) routers make me nervous... Oh, I wasn't aiming that low. Take the Netgear FVS318 [1] for example (sorry, don't mean to advertise). It provides stateful firewalling, VPN-support and some other goodies for about 120 USD. > at least with a software firewall you know what you've got and can > keep it patched. On the other hand hardware routers are much more specialized than general purpose OSs can be, so they are likely to have fewer bugs (simply due to the fact that there's a smaller code-base). And you can keep them patched as well. Just keep the Firmware up to date. [1] http://www.netgear.com/products/details/FVS318.asp?view=sb Regards Ansgar Wiechers --------------------------------------------------------------------------- ----------------------------------------------------------------------------
