On Wed, Feb 07, 2007 at 04:56:31PM -0600, Ron Johnson wrote: > On 02/07/07 13:57, Andrew Sackville-West wrote: > > On Wed, Feb 07, 2007 at 12:20:47PM -0600, Ron Johnson wrote: > >> On 02/07/07 11:31, Andrei Popescu wrote: > >> > >>> If I were to transform my firewall machine in a mailserver then IMAP > >>> would be the best choice to access it. > >> That's the *second worst* place to put it. > >> > > > > please enlighten. I am in the process of re-examining my home lan. My > > new mobo on the server includes to nic's so I am thinking of using my > > server as the firewall as well... you seem, from the above, to think > > this is a bad idea. I don't doubt that it is... > > Machines exposed to the Internet should have as few services on them > as possible. This reduces the threat "surface" (i.e., the number of > available possible exploits.
right. > > Thus, the device "you" should expose to Internet should only be a > router+firewall and web cache (if needed). ssh on that box should > only be visible to the LAN. right. > > Have the firewall *redirect* incoming imaps requests to your server. > and that is what I currently do. And its a great use for this old 486 that currently runs the firewall. I'm just looking at other possibilities to cut down on power usage and the all important available horizontal surface space. I discussed this issue a while ago with no real resolution, hence my question. So running the service (IMAPS) in this case on the same box as the firewall exposes that firewall machine to direct attack if there is a compromise in the IMAPS server. This makes sense. But how exactly is that different from my current setup where the IMAPS server is run on a machine within the greenzone of my LAN.... hmmm... not really different at all in that a compromise on that server is still inside the lan. So in my now obviously bad setup it doesn't matter either way: a compromised IMAPS server is a compromise on my lan. ugh. gotta rethink all that. What about running servers in sandboxes (virtual machines or chroots). I could move the only externally visible service (IMAPS) to a virtual machine or a chroot on my server and tie it to one of the two nics. THis would put that service in a sort of orange-zone. And with the right configs, so that it only accepts requests from the fire-wall and not anywhere else on the lan, isolate it even more. then again, I've got a couple extra nics now, I could upgrade to a full blown green/orange zone configuration. I'd still like to setup the virtual machine though as I only have the one server and want parts of that server freely accessible from the lan (music, photos, video, backups etc). thoughts? A
signature.asc
Description: Digital signature
