From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Wed 22 Sep 2004 - 22:16:58 BST
On Wed, Sep 22, 2004 at 11:05:15PM +0200, Gilles wrote:
> Hello.
>
> > [...]
> > ... anyway discussion of those issues is
> > appreciated I'd say, so let's keep the talk going ...
> >
>
> Fine :-)
> In fact, I'd like to understand what is the minimal hardware
> configuration, necessary to build a "complete" IT infrastructure,
> i.e. that would at least comprise services such as
> - file
> - web
> - mail
> - database
> - backup
>
> The aim is to be able to propose a "full-featured" solution to
> small organizations, which have limited resources, and be able
> to emphasize a level of security similar to the expensive solution
> where each server would be on its own physical box.
>
> E.g. if 5 people work with a computer each, it might be difficult to
> get them buy twice as many computers...
>
> I imagined that the minimum would be 2 extra computers: one for the
> firewall (H1) and the other for the services (H2).
>
> [ (nic2) ] <----> [ (nic3) H2 ]
> Internet <----> [ (nic1) H1 ]
> [ (nic4) ] <----> [ (nic5) H3 ]
> [ (nic6) H4 ] etc.
>
> H3 to H8 would be the 5 end-user machines, on a different subnet than
> H2 is on.
okay, this gives me a better picture of the desired
setup, and in this case I'd opt for the following
(maybe unconventional?) setup:
Internet <---> [nic1 H1 nic2] <---> [nic3 H2 nic4] <---> H3,H4,H5 ...
with a border firewall on H1 and a simple firewall
and proxy solution on H2, a single vserver on H1
with CAP_NET_ADMIN and vservers for each service
on H2. why? because!
no seriously, IMHO this would allow to do the following
things in a secure way:
- in office traffic between hosts
- controlled usage of the services on H2 from inside
- double checked services to the outside
- monitored firewall, only the single vserver is
communicating with the internet (e.g. tripwire
is running on the host) ...
- firewall host only reachable from inside
- no issues on service maintenance, just close the
service on the border fw
- a second layer of protection from vservers for
the services and the firewall stuff
- ...
HTH,
Herbert
> But it can be objected that H2 shouldn't host both the public (e.g. web)
> and the private (e.g. database) services.
>
> So, I was wondering:
> Is it possible to have "virtual" networks inside H2? If yes, how?
> Even if it is possible, if each service on H2 runs inside its own vserver,
> is it necessary to have a virtual DMZ?
> Would it be enough if each service is configured to listen to its IP address
> only?
> Are there obvious security threats?
>
>
> > > P.S. I can't seem to be able to subscribe to the ML,
>
> I'm subscribed now.
>
>
> Best regards,
> Gilles
> _______________________________________________
> Vserver mailing list
> Vserver_at_list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver