About this list Date view Thread view Subject view Author view Attachment view

From: Gilles (gilles_at_harfang.homelinux.org)
Date: Fri 24 Sep 2004 - 14:27:11 BST


Setup A:

> > > > [ (nic2) ] <----> [ (nic3) H2 ]
> > > > Internet <----> [ (nic1) H1 ]
> > > > [ (nic4) ] <----> [ (nic5) H3 ]
> > > > [ (nic6) H4 ] etc.

Setup B:

> > > Internet <---> [nic1 H1 nic2] <---> [nic3 H2 nic4] <---> H3,H4,H5 ...

> > What's the difference between "border" and "simple" firewall?
>
> the 'border' firewall protects the office against
> the internet, the 'simple' firewall protects your
> services

But the services *are* protected, by H1.

> (and maybe the border firewall)

Ah, that's the added value then.
But, as Matt replied, a firewall is a much more difficult target...

> > Isn't it sufficient to have a firewall on H1 (the host)?
>
> sufficient, well, maybe, but you asked about security
> right? and part of that security would be to monitor
> the firewall and detect intrusion, which is actually
> very simple with a 'non-reachable' host, monitoring
> a 'firewall' vserver ...
>

OK, I get it, I think.

> > If not, how do the host and vserver share responsibilities (pppd,
> > firewall,...)?
>
> pppd is probably not a part of the firewall I had in
> mind, but if you need some kind of 'dialup' connectivity
> for that office, then the 'firewall' host will have to
> handle that, of course ...
>

So that means yet another firewall on H1 (?): one on the host to watch
"ppp0" and forward all connections to the vserver running a second firewall
that does the port forwarding (for the allowed services) and that is
monitored for intrusion.

>
> firewall software is iptables in my book, YMMV,

Yes I use iptables too, configured through the "Shorewall" scripts.

>
> exploit on apache -> root shell on server -> all done
>

Yes I get that, but I didn't intend to run any service outside
a vserver nor on the H1 machine.
 
> in the depicted setup it will probably happen like
> this:
>
> exploit -> root shell on vserver -> isolated
> -> exploit to escape vserver -> H2
> -> exploit for the firewall -> H1
>
> which looks to me a little more secure than the above.
>

Yes a *little* more, as the only difference with setup A is the
exploit to cross the supplementary firewall on H2. But... in
setup B, the internal network is then open, while in setup A,
the firewall on H1 remains to be cracked to access H3, H4, etc.
So, it seems that trying to access the private network eventually
requires roughly the same amount of "work".

But, my main worry was about the DMZ! Unless I overlooked something
in your answers, I'm still confused about that.

What is the difference (or is there one, in principle) between:

 (1) Having a public service (e.g. apache) and a private service (e.g.
     mysql), running on 2 separate vservers on the same host.

and

 (2) Having the public service and private service each running on their
     own hosts.

The first thing I notice is that in case (2), the 2 hosts would be on
different subnets (one of which is the DMZ). [Hence the firewall rule
would only allow connections from the Internet to the DMZ.]

While in case (1) all vservers share the same virtual ethernet inside
the host. [So there is no simple firewall rule: allow to DMZ / deny to
private.]

Is this correct? In the affirmative, is it a problem and can it be
solved?
E.g. I was wondering whether it is possible to simulate several subnets
inside a single host (i.e. without resorting to a second nic!). If I
remember correctly, "vmware" does that (as was already pointed out by
someone else). So the question is: How to do it with vserver?

Best regards,
Gilles
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Fri 24 Sep 2004 - 14:25:06 BST by hypermail 2.1.3