About this list Date view Thread view Subject view Author view Attachment view

From: Gilles (gilles_at_harfang.homelinux.org)
Date: Fri 24 Sep 2004 - 13:20:32 BST

Setup A:

> > > > [ (nic2) ] <----> [ (nic3) H2 ]
> > > > Internet <----> [ (nic1) H1 ]
> > > > [ (nic4) ] <----> [ (nic5) H3 ]
> > > > [ (nic6) H4 ] etc.

Setup B:

> > > Internet <---> [nic1 H1 nic2] <---> [nic3 H2 nic4] <---> H3,H4,H5 ...

> > Why having 2 firewalls? [...]
> You probably don't comprise a server by finding a flaw in the
> firewall, you do it by finding a flaw in one of the sevices it runs
> and exploit that. Sendmail, nfs or whatever.
> By having a dedicated firewall that does nothing but firewall, i.e.
> running no other services, you cut off the ability for someone to hack
> the box.

Yes, I understand that all right; as said previously, no services are
effectively running on H1: connections are forwarded to H2.

> You run the second firewall on the box to keep people from poking
> where they shouldn't. For example, maybe a new blaster-xp worm comes
> into your office via an e-mail attachment and starts hammering every
> computer it can find. The firewall on H2 will offer protection.

But my question was: how is setup B more secure than setup A? The more
so that you said above that the firewall *itself* can't usually be
Unless I'm confused, H1 in setup A can offer the same protection (in the
scenario of a virus attack from e.g. H3) to the services running on H2 as
a second firewall running on H2 itself.
In fact neither setup A nor setup B can protect the internal network (H3,
etc.) from such a situation; which is probably one of the reasons for your
last suggestion:

> [...] put up firewalls on every
> computer in the office,

Of course, if there is a fw on every end-user machine, it doesn't make much
sense to discuss how to avoid putting one more on the main server ;-)


Vserver mailing list

About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Fri 24 Sep 2004 - 13:18:34 BST by hypermail 2.1.3