[Techtalk] DMZs, etc.
Jenn Vesperman
jenn at anthill.echidna.id.au
Tue Dec 11 07:57:20 EST 2001
On Tue, 2001-12-11 at 02:55, Michelle Murrain wrote:
>
> I know that DMZs are, basically, best practice for network design. Question
> is: what if the network is primarily made up of servers that provide
> internet services (web, mail, dns), with only a few computers that are on
> an internal network.
Do you want to protect those computers?
Would it matter if they were broken into?
If so - and I'm assuming that the questions were rhetorical and the
answers 'yes, it WOULD matter' - then yes, you need to put the server in
a DMZ and the other boxes behind a second firewall.
Is the network going to expand in the future? The answer to that one is
almost always 'yes'.
> In this scenario, would a single firewall, plus NAT
> for the internal computers be enough practically (along with running snort
> etc. on any internal boxes)?
You should run snort etc on the DMZ boxes as well.
> What if NFS is running on the internal
> computers (but not the web servers, etc.)? Does this up the ante some?
Usually, yes. It creates a single point of vulnerability.
> Or, could you use one of the internet servers as the first firewall?
Probably. You'd have to set it up carefully.
> I'm basically trying to set up a secure system, but with as few boxen as
> possible (keep it cheap, and keep my office from getting too hot!)
Do you have a small space you could put the firewalls and servers in?
Not the office itself, but some other room - we have ours in a tiny
'fourth bedroom'.
Jenn V.
--
"Do you ever wonder if there's a whole section of geek culture
you miss out on by being a geek?" - Dancer.
jenn at anthill.echidna.id.au http://anthill.echidna.id.au/~jenn/
More information about the Techtalk
mailing list