Forgot to copy the reply to this list. On Friday 24 June 2005 07:00, Alan Chandler wrote: > On Friday 24 June 2005 01:12, Paul D. Bain wrote: > > I am not an expert on network security, but, IIRC, putting a web server > > on the same physical box as a firewall is an incredibly _bad_ idea, at > > least from a security point of view. Why? Well, if your web server is > > compromised (via the box's "external address," as you term it), and if > > the attacker then gains root access to the box on which the web server > > runs (which he can do with a root kit), he can then either (a) attack > > machines that lie _behind_ the firewall (the ones with IP addresses > > beginning with "192.168") or (b) install a packet sniffer to gather > > passwords and other sensitive information. Furthermore, here, you are > > proposing to run not one, but _two_, web servers (Apache and Tomcat) on > > your firewall box, increasing the chances of compromise (simply because > > twice the servers means twice the security vulnerabilities in the server > > software). > > > > If I were you, I would have a security expert give a quick opinion on > > the soundness of your proposed configuration. > > I understand your concerns. However this is a home configuration and I > only have one server, so I don't have a choice. > > I have, in the past, run small standalone routers as my firewall. Both a > netgear rp614 and a dlink 604. However, at the times when there are the > trojans about, causing massive numbers of ARP messages on my ISPs local lan > segment to which my broadband modem is connected, these routers tend to > lock solid requiring a power off reset to restart them. Yet my linux box > running all these extra services (and postgres, mysql, exim4, smapd, > courier-imap, fetchmail, bind, dhcpd3, samba, subversion server ...) has > run solid for over a year without a problem. > > Of course my iptables firewal has locked down everything pretty solidly, > but it is only one line of defence. I do understand that ideally I should > take an onion like approach (multiple layers) to security. Unfortunately I > don't have a choice. Fortunately the is not much sensitive data around > either > > I do have a root kit sniffer run every night (which every night reports > that dhcpd3 is sniffing the ethernet) in case someone does get in. > -- Alan Chandler http://www.chandlerfamily.org.uk
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
