-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/07/07 17:04, Andrew Sackville-West wrote: > On Wed, Feb 07, 2007 at 04:56:31PM -0600, Ron Johnson wrote: >> On 02/07/07 13:57, Andrew Sackville-West wrote: >>> On Wed, Feb 07, 2007 at 12:20:47PM -0600, Ron Johnson wrote: >>>> On 02/07/07 11:31, Andrei Popescu wrote: >>>> >>>>> If I were to transform my firewall machine in a mailserver then IMAP >>>>> would be the best choice to access it. >>>> That's the *second worst* place to put it. >>>> >>> please enlighten. I am in the process of re-examining my home lan. My >>> new mobo on the server includes to nic's so I am thinking of using my >>> server as the firewall as well... you seem, from the above, to think >>> this is a bad idea. I don't doubt that it is... >> Machines exposed to the Internet should have as few services on them >> as possible. This reduces the threat "surface" (i.e., the number of >> available possible exploits. > > right. > >> Thus, the device "you" should expose to Internet should only be a >> router+firewall and web cache (if needed). ssh on that box should >> only be visible to the LAN. > > right. > >> Have the firewall *redirect* incoming imaps requests to your server. >> > > and that is what I currently do. And its a great use for this old 486 > that currently runs the firewall. I'm just looking at other > possibilities to cut down on power usage and the all important > available horizontal surface space. I discussed this issue a while ago > with no real resolution, hence my question. > > So running the service (IMAPS) in this case on the same box as the > firewall exposes that firewall machine to direct attack if there is a > compromise in the IMAPS server. This makes sense. But how exactly is > that different from my current setup where the IMAPS server is run on > a machine within the greenzone of my LAN.... hmmm... not really > different at all in that a compromise on that server is still inside > the lan. So in my now obviously bad setup it doesn't matter either > way: a compromised IMAPS server is a compromise on my lan. ugh. gotta > rethink all that.
Yes, a compromised IMAPS daemon will leave your main server vulnerable to attack from packets redirected from the router. > What about running servers in sandboxes (virtual machines or > chroots). I could move the only externally visible service (IMAPS) to > a virtual machine or a chroot on my server and tie it to one of the > two nics. THis would put that service in a sort of orange-zone. And > with the right configs, so that it only accepts requests from the > fire-wall and not anywhere else on the lan, isolate it even more. AKA a DMZ. That's a interesting thought: putting a DMZ inside a vm on your main server. I wouldn't trust a chroot, though. > then again, I've got a couple extra nics now, I could upgrade to a > full blown green/orange zone configuration. I'd still like to setup > the virtual machine though as I only have the one server and want > parts of that server freely accessible from the lan (music, photos, > video, backups etc). thoughts? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFymrMS9HxQb37XmcRAkn0AKDi3imGtHB0s35fI/h8kWjLnFQfKwCbBiV9 /TClm5f0xfYD693KZwu61Sg= =kfFR -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
