[Shorewall-users] LAN server config?
Thu, 31 Jan 2002 08:58:43 -0500
> -----Original Message-----
> From: firstname.lastname@example.org
> [mailto:email@example.com]On Behalf Of Paul Gear
> Sent: Wednesday, January 30, 2002 5:58 AM
> To: firstname.lastname@example.org
> Cc: email@example.com
> Subject: Re: [Shorewall-users] LAN server config?
> Personally, if you are running standard POP3 over the Internet, i
> think you
> a) crazy,
> b) an ISP, or
> c) both of the above. :-)
> I know users like it, but it really is quite insecure.
Thanks for the wakeup call. I still consider myself a Linux newbie, and I'm
still learning. I tend to concentrate on getting a service to work first
and learn how to secure it later. So "ignorant", in this case is probably a
better description. If you have any good links for implimenting secure pop3
please let me know.
> Personally, i don't feel that the 3 NIC model actually offers much more
> protection than what you've got, since you would only have to compromise
> one system (the firewall) to gain access to the entire network, whereas
> your current model requires that two systems (the router and the Linux
> server) be compromised, unless the Linux box is compromised through the
> port-forwarded services.
It's not that the hardware router I have is insecure, it's just that I don't
really know (and can't control) how secure it is. With this particular
router, I can't even ban a host from using it. For instance, if I want to
ban a host from my web server, I have to do it at the web server instead of
at the router. That, to me, is not good. Using one linux system as a
router and having a second running web and mail services in a "dmz" zone
physically seperate from the rest of the lan would seem to be much better
and offer more control. Not that I really understand yet how to properly
use that control, but I figure I've only got about 19,437 more man pages to
read until it seems like child's play.