On 4 February 2011 20:54, Mark Jones <mjo...@imagehawk.com> wrote: > ... A lot of stuff ...
I'm no network expert, nor am I a computer expert. Nor will I ever claim to be. But if it's one thing I know for a fact, is that putting all your eggs in one basket isn't a good idea, no matter what. The whole point of a firewall, is to keep you and in effect your network infrastructure secure. The way to achieve this, is to implement some sort of mechanism to make sure that your ingress point is as little exposed as possible. In this respect, the ingress point is your firewall, aka pfSense. By limiting the services/programs running on that crucial ingress point, you as have been said previously, effectively limit the attack surface exposed to external parties (read: external sources trying to breach you ingress point). For me, this is all sound sane and logic. I try to the best of my abilities to run as few services as possible on the firewall, no matter if it's at home or in a corporate environment. The thing about a firewall, is that it's supposed to give you and your network protection. Services such as a web server, voip service, jabber, IRC, ftp server, shell access etc etc, is supposed to run on machines *behind* the ingress point, in this case the firewall. This is where the multiple interface scenario comes into play. If you plan a good network, you know that you need to separate services/machines, and where they reside based on the function/service/machine does. For instance, a web server does not *need* to be in your LAN segment to work, it can without problem reside in a different network segment (read: interface) to function as it should, both from the inside *and* outside. Whenever you implement a firewall, you plan your firewall and network topology based on what you're actually doing. The basic thumb of rule in an ideal scenario is that you shut down access to *everything*, and just open up access to whatever is needed, but inbound and outbound. This way, your firewall controls what is allowed on the network or not. If someone was to gain access to a host behind your ingress point (read: firewall), the rules *you* implemented would be the base of the attack base, or the lack of, depending on your rules. The problem with running unneeded services on your firewall, no matter if it's on a dedicated machine or in a virtually hosted environment, is that if someone is actually able to gain access to your firewall due to open doors exposed by these services, is that they basically have unlimited access to your network. pfSense has access to *all* your network segments, all your active VPN connections (site to site, satellite to server) and what not. Gain access to the ingress point, and you basically have the key to all the doors in the house, no matter if they use a physical key, magnetic card or biometric reading. If you have done your planning right, and implemented the right rule set for your ingress point, gaining access to a host behind the ingress point will in most cases prove less dangerous than gaining access to the main ingress point itself. I'm sure that there's people out there that's ready to pick this particular analysis apart, and I welcome them to. But this is the way I see things, and on a personal note, it's worked out great so far. -- Yours sincerely Jostein Elvaker Haande "A free society is a place where it is safe to be unpopular" - Adlai Stevenson http://tolecnal.net -- tolecnal at tolecnal dot net --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org