From: MH - Entwicklung (entwicklung_at_heubach-edv.de)
Date: Fri 09 May 2003 - 18:12:22 BST
we're currently thinking about the following idea:
For cost effectivness it is a nice idea to run public accessable services on the same host where the firewall(netfilter and proxies) is running. Netfilter can limit the network access to and from each vserver's address. As one cannot escape the vserver (as long as nobody proves the opposite), no compromisation of the firewall running in the root server context should be possible from any compromised vserver context (assuming no exploitable service is running in the root server context).
In theory it is no problem to move all DMZ hosts onto vservers running on the firewall host. We already made some tests with such systems and didn't find any obvious weakness but we're not sure if there aren't some hidden traps.
We won't go so far to use such a system in a high or top security environment but it seems to be a good solution for small to medium businesses with moderate security demands.
The discussed scenario is a LAN connected to the internet through a firewall computer which is also hosting vservers. Instead of building a DMZ all public services will be hosted on those vservers. Assuming that a vserver cannot be escaped from, the root server/firewall and with it the LAN should not be in danger. Are there any arguments against this theory ?
Any discussion is welcome but I'm not on the list until monday.
manfred heubach edv und neue medien Hindenburgstr. 47 D-73728 Esslingen
Tel. +49 711 9315824 Fax +49 711 9315825 www.heubach-edv.de
Informationstechnologie und Telekommunikation für Unternehmen