[Shorewall-users] LAN server config?

Jim Hubbard jimh@dyersinc.com
Thu, 31 Jan 2002 08:58:43 -0500


> -----Original Message-----
> From: shorewall-users-admin@shorewall.net
> [mailto:shorewall-users-admin@shorewall.net]On Behalf Of Paul Gear
> Sent: Wednesday, January 30, 2002 5:58 AM
> To: jimh@xlproject.com
> Cc: shorewall-users@shorewall.net
> Subject: Re: [Shorewall-users] LAN server config?
>
> Personally, if you are running standard POP3 over the Internet, i
> think you
> are:
>     a) crazy,
>     b) an ISP, or
>     c) both of the above.   :-)
> I know users like it, but it really is quite insecure.
>

Thanks for the wakeup call.  I still consider myself a Linux newbie, and I'm
still learning.  I tend to concentrate on getting a service to work first
and learn how to secure it later.  So "ignorant", in this case is probably a
better description.  If you have any good links for implimenting secure pop3
please let me know.

>
> Personally, i don't feel that the 3 NIC model actually offers much more
> protection than what you've got, since you would only have to compromise
> one system (the firewall) to gain access to the entire network, whereas
> your current model requires that two systems (the router and the Linux
> server) be compromised, unless the Linux box is compromised through the
> port-forwarded services.
>

It's not that the hardware router I have is insecure, it's just that I don't
really know (and can't control) how secure it is.  With this particular
router, I can't even ban a host from using it.  For instance, if I want to
ban a host from my web server, I have to do it at the web server instead of
at the router.  That, to me, is not good.  Using one linux system as a
router and having a second running web and mail services in a "dmz" zone
physically seperate from the rest of the lan would seem to be much better
and offer more control.  Not that I really understand yet how to properly
use that control, but I figure I've only got about 19,437 more man pages to
read until it seems like child's play.

Jim Hubbard
jimh@dyersinc.com