| Author |
Message |
markp
Guest
|
 Posted:
Sat Jan 15, 2005 4:33 pm Post subject:
Firewall and email/file servers on same machine? |
|
|
Hi all,
I'm thinking of adding a linux based firewall to my home network, probably
on a mini-itx machine. I also need an email server and a file server that
can be accessed via a VPN.
Is it better from a security point of view to have physically separate
machines for the firewall and servers, or can these be in the same physical
machine without compromising security? I've heard that physically separating
them is good practice, but is there a genuine security reason or is this
just a maintenance issue?
Thanks!
Mark. |
|
| Back to top |
|
 |
Wolfgang Kueter
Guest
|
| Posted:
Sat Jan 15, 2005 5:12 pm Post subject:
Re: Firewall and email/file servers on same machine? |
|
|
markp wrote:
| Quote: | Is it better from a security point of view to have physically separate
machines for the firewall and servers,
|
Yes.
| Quote: | or can these be in the same
physical machine without compromising security? I've heard that physically
separating them is good practice, but is there a genuine security reason
or is this just a maintenance issue?
|
Yes, there is a genuine security reason and that reads: 'Run as few (public)
services as possible on a security device!' For any service offered by the
box sooner or later an exploit might be found. What is not there cannot be
exploited. Best is to run _no_ services on a firewall at all.
On the contrary more machines means more neccessary effort for
administration (installing patches, hardware maintainance etc.).
Wolfgang |
|
| Back to top |
|
|
James Knott
Guest
|
| Posted:
Sat Jan 15, 2005 6:12 pm Post subject:
Re: Firewall and email/file servers on same machine? |
|
|
markp wrote:
| Quote: | Is it better from a security point of view to have physically separate
machines for the firewall and servers, or can these be in the same
physical machine without compromising security? I've heard that physically
separating them is good practice, but is there a genuine security reason
or is this just a maintenance issue?
|
Firewalls should not be running anything not related to the firewall
funtion. The more you install or run, the greater the possibility of a
security risk. Ideally, you'd even forward vpn and ssh access to another
box, rather than allow it on the firewall. |
|
| Back to top |
|
|
markp
Guest
|
| Posted:
Sun Jan 16, 2005 10:13 pm Post subject:
Re: Firewall and email/file servers on same machine? |
|
|
"Wolfgang Kueter" <wolfgang@shconnect.de> wrote in message
news:csb1b2$tbp$1@news.shlink.de...
| Quote: | markp wrote:
Is it better from a security point of view to have physically separate
machines for the firewall and servers,
Yes.
or can these be in the same
physical machine without compromising security? I've heard that
physically
separating them is good practice, but is there a genuine security reason
or is this just a maintenance issue?
Yes, there is a genuine security reason and that reads: 'Run as few
(public)
services as possible on a security device!' For any service offered by the
box sooner or later an exploit might be found. What is not there cannot be
exploited. Best is to run _no_ services on a firewall at all.
On the contrary more machines means more neccessary effort for
administration (installing patches, hardware maintainance etc.).
Wolfgang
|
Thanks! I think that I'll set up a firewall only machine, and put other
stuff on another machine locally.
Mark. |
|
| Back to top |
|
|
markp
Guest
|
| Posted:
Sun Jan 16, 2005 10:15 pm Post subject:
Re: Firewall and email/file servers on same machine? |
|
|
Thanks to all who replied. From what has been said I think I'll set up a
firewall only machine and do all the file and email serving locally on
another machine.
Mark.
"markp" <map.nospam@f2s.com> wrote in message
news:34sdcmF49roq7U1@individual.net...
| Quote: | Hi all,
I'm thinking of adding a linux based firewall to my home network, probably
on a mini-itx machine. I also need an email server and a file server that
can be accessed via a VPN.
Is it better from a security point of view to have physically separate
machines for the firewall and servers, or can these be in the same
physical machine without compromising security? I've heard that physically
separating them is good practice, but is there a genuine security reason
or is this just a maintenance issue?
Thanks!
Mark.
|
|
|
| Back to top |
|
|
Guest
|
| Posted:
Thu Jan 20, 2005 6:13 am Post subject:
Re: Firewall and email/file servers on same machine? |
|
|
In article <34vlp4F4fafepU1@individual.net>,
"markp" <map.nospam@f2s.com> writes:
| Quote: | Thanks to all who replied. From what has been said I think I'll set up a
firewall only machine and do all the file and email serving locally on
another machine.
Mark.
"markp" <map.nospam@f2s.com> wrote in message
news:34sdcmF49roq7U1@individual.net...
Hi all,
I'm thinking of adding a linux based firewall to my home network, probably
on a mini-itx machine. I also need an email server and a file server that
can be accessed via a VPN.
Is it better from a security point of view to have physically separate
machines for the firewall and servers, or can these be in the same
physical machine without compromising security? I've heard that physically
separating them is good practice, but is there a genuine security reason
or is this just a maintenance issue?
It has always been a truism that a firewall machine should be ONLY a |
firewall machine. That's also not necessarily a reasonable situation
for a home machine. Assuming you've decided to find space for an extra
machine, it then becomes necessary to find space for 2 machines. And
while we're at it, it would REALLY be better to have a dedicate logging
host that accepts NO incoming connections, just a console, etc. It can
get out of hand, rapidly.
So let's take a slightly different situation...
About May 2003, I finally decided that maintaining a tight enough
firewall/server (Yes, I had space for *one* spare machine.) took more
due diligence than I really wanted to spend. So I bought a little blue
box, by Netgear. Actually, I specifically went up a few notches, and
got one with SPI, and other features that could almost make up for not
having a fully programmable firewall. Considering the events of Summer/
Fall 2003 I'm quite glad I got it.
It has always been my intent to re-open some remote connections, so I
can get to my machines at work or when travelling. I haven't gotten
around to it yet, so I have a hardware firewall and behind that a dual-
homed server that can be turned into a secondary firewall.
Any comment on using a combination of secondary firewall that also
provides home lan (no external) services? If/when I allow any sort of
external connection, it will probably only be a filtered OpenVPN
endpoint.
Dale Pontius |
|
| Back to top |
|
|
Tim Haynes
Guest
|
| Posted:
Thu Jan 20, 2005 4:32 pm Post subject:
Re: Firewall and email/file servers on same machine? |
|
|
dale@edgehp.invalid () writes:
[snip]
| Quote: | It has always been my intent to re-open some remote connections, so I can
get to my machines at work or when travelling. I haven't gotten around to
it yet, so I have a hardware firewall and behind that a dual- homed
server that can be turned into a secondary firewall.
Any comment on using a combination of secondary firewall that also
provides home lan (no external) services? If/when I allow any sort of
external connection, it will probably only be a filtered OpenVPN
endpoint.
|
I've recendly moved, and shuffled the networking arrangements around thus:
outside world <- ADSL router <- linux box <- LAN boxes
<- Wifi router
<- mac desktop
linux box, in this case, used to be the primary firewall; now that's done
mostly on the ADSL router. I'm running rsync (for backups and gentoo
portage), dns and mail servers on the linux box, all internally visible
only. Can't say I have a major problem with it on the security front, it
fits my needs just fine. I'd be more worried if the box were the primary
firewall, but even so, I trust my ability to configure things to listen
only on the internal interfaces, and iptables, enough to risk it for home
purposes.
~Tim
--
CREMATORIA have been ordered to halve |piglet@stirfried.vegetable.org.uk
the amount of toxic mercury released |http://pig.sty.nu/
into the atmosphere from tooth fillings. |
- random news from The Scotsman | |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in