On 7 Jun 2003, Kevin Saenz wrote:
> > It's excessively complex?
> > Additional firewalls don't necessarily improve security - a single
> > firewall, properly configured, will do everything you need - sticking in
> > extras is a waste.
> > And why use two _switches_? I could understand it if you were using hubs -
> > but why bother with two switches? get a decent single switch, and divide
> > it into VLAN's if you're that paranoid about people on your LAN getting to
> > the servers.
> >
> The 2 switchs are ok especially if you want to seperate your internet
> servers and your lan environment. I see no problem with that, given
> on your lan you want trusted server. Any server that has direct
> connection to the internet in most schools of thought is not a trusted
> server. That is why you have a De-Militrised Zone, to ensure if someone
> owns your mail or web server the can't really own the rest of your LAN.
Did you miss the bit about VLAN's? In this day and age of really excellent
switches, there's absolutely _no_ need to duplicate switches - simply
spend a little more on one switch, and use vlan's to isolate the bits you
need from each other by not allowing them to route between vlans.
Remember, this is {as stated in the subject line} for HOME use - DMZ's are
a massive overkill, but if you *must* have one, why not just use the one
firewall to do it? Three network cards {net, LAN and DMZ} and an
appropriate ruleset will sort you out perfectly.
> > For a home network, this is a massive overkill, and you're just wasting
> > your money on devices you don't need.
> >
> My environment is similar to that but I intended to mirror what I have
> done for my clients and work place. As we all know firewalls are just
> packet filters. How are you doing to stop a potential exploit from
> accessing your DNS, mail or web server (if they exisit in the *nix
> distro) Chroot is great i have it for DNS, postfix as a standard install
> does it. Apache is pretty rock solid. Spare a thought for those who are
> forced to use less than secure propritary software.
"Just packet filters" - sheesh! What more do you *want* them to be? If
you're in a serious production environment, and you _don't_ keep up to
date with security patches {via securityfocus and other places}, then
you're a fool - and deserve to be hacked, regardless of _what_ OS you run.
The only way to have a "Safe" network is eternal vigillance - and how much
money do you want to spend being "safe"? You can pay someone to watch
security based web sites and usenet and other places for security-related
hacks/patches all day and all night, and get them to apply any patch which
is released {or write their own, if one isn't}, but what is the cost?
Where do you draw the line on complexity/cost effectiveness? Just how much
money do you want to pour into a home network anyway?
I might do something like Minh described for the purpose of experimenting
- but not just because it's a "good thing". That's plain silly.
DaZZa
--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
