About this list Date view Thread view Subject view Author view Attachment view

From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Wed 22 Sep 2004 - 14:18:54 BST


On Wed, Sep 22, 2004 at 12:17:41AM +0200, Gilles wrote:
> Hi.
>
>
> > > Is it possible to set up the equivalent of a LAN with a DMZ and
> > > a "secure" part, all within a single physical machine (with a
> > > single network adapter)?
> >
> > yes, it is possible, but it does only make limited
> > sense if you are concerned about security ...
>
> (1)
> What is the exact difference, security-wise, between a single host
> and two hosts physically separated by a network wire (assuming that
> the Internet access point is secured by same SW (netfilter) firewall
> rules)?

- the firewall will not have open ports for services
  on the second host
- somebody aby to crack the firewall, has to do similar
  for the second host ...
- services provided on the separate host do not leak
  to the outside

> > sorted by increasing security IMHO:
> >
> > - single host, firewall, services, enduser, 1nic
> > - single host, firewall, vservers (services), 1nic
> > - single host, firewall, vservers (services, enduser), 2nic
> > - separate firewall, 2nic (services), 2nd-host enduser
> > - separate firewall, 2nic, 2nd-host (services), enduser
> > - separate firewall, 2nic, 2nd-host vservers (services), enduser
> >
>
> (2)
> Is the following what you mean by the last configuration summary given
> above (the most secure):
>
> Internet <----> [ (nic1) H1 (nic2) ] <----> [ (nic3) H2 ]
>
> So, H1 is the firewall host, and H2 the internal, secure, host where
> vservers run.

yes, and where the enduser is on a separate host H3
in the same (or even separate) entwork than H2

> (3)
> If (2) is the actual setup, can it be arguably considered as secure as
> a LAN and DMZ, physically different, like the following:
>
> [ (nic2) ] <----> [ (nic3) H2 ]
> Internet <----> [ (nic1) H1 ]
> [ (nic4) ] <----> [ (nic5) H3 ]
>
> where H2 (DMZ) would run vservers for applications like a web server,
> and H3 (secure LAN) would run vservers like a database.

if H2 is the only user of H3 then it would be 'more'
secure to use something like this:

 Internet <---> [nic1 H1 nic2] <---> [nic3 H2 nic4] <---> [H3]

> (4)
> With a physical setup as in (2), is it possible to use the vserver
> capacity in order to "simulate" (3)? [E.g. to have 2 "virtual"
> subnets inside H2, one of which would be the DMZ.]

yes, but it can be considered less secure than a
separated setup with vservers (IMHO) ...

> I've read the previous thread about "DMZ and vserver", but I didn't
> get what was the final proposal (physical setup, virtual zones...)
> An actual example would be welcome.

hmm, well, I'm no security expert and vserver setups
really depend on the _setup_ (similar to firewalls)
you can have one which doesn't provide you anything,
regarding security ...

I'll see, amybe I get around depicting some example
setups ... anyway discussion of those issues is
appreciated I'd say, so let's keep the talk going ...

best,
Herbert

> Thanks,
> Gilles
>
> P.S. I can't seem to be able to subscribe to the ML, I get a
> "Bug in Mailman version 2.1.4 -- We're sorry, we hit a bug!"
> page. [Yesterday, I sent a message to the list owner.]

which should help (as written on the wiki)

> _______________________________________________
> Vserver mailing list
> Vserver_at_list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 22 Sep 2004 - 14:19:13 BST by hypermail 2.1.3