LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-04-2004, 09:20 PM   #1
registering
Member
 
Registered: Jun 2003
Location: Florida, USA
Distribution: Drake 10.1 Download
Posts: 182

Rep: Reputation: 30
Comments on NW architecture?


Hi all,
I'm setting up a very simple network which currently has a
single linux box acting as the gateway between the LAN and
internet, with everything running on it. I'm planning to
put another system between it and the router for security,
and was wondering if anyone has any comments on how I could
do it better. I've only got two systems to work with for now,
however. In the future I hope to put a non-linux box between
the two, to mix-up the OS vulnerabilities.
Basically I'm keeping all the main services on the 0.2 system,
and using NAT to route everything through the gateway 0.1 to
apache on 0.2. I have two specific questions:

1) I figure running DNS (BIND) inside the LAN is safer, since
I can use NAT to route everything to the DNS server. Does that
make sense?

2) running qmail on 0.1 can help filter out bogus emails and
lessen the load on 0.2, where all the email will actually be
kept. I've never used qmail before (I've used sendmail), but
I imagine it can do this.

Anyway, if anyone has any comments or suggestions I'd certainly
appreciate them.
Thanks!

Code:
 ----------------------
|        LAN           |
 ----------------------
          |
          |
 ----------------------
|  firewall            |
|  DHCP server         |
|  DNS                 |
|  qmail               |
|  apache              |
|  192.168.0.2         |
 ----------------------
          |
          |
 ---------------------------
| firewall: uses NAT to     |
|  send packets to apache   |
| qmail: just filtering     |
| NIC #1: 192.168.0.1 to LAN|
| NIC #2: 4.5.6.7 to router |
 -------------------------
          |
          |
 -----------------------
|      router           |
 -----------------------
 
Old 06-07-2004, 05:32 AM   #2
Technonotice
Member
 
Registered: Mar 2004
Location: UK
Distribution: Debian Unstable
Posts: 58

Rep: Reputation: 15
Re: Comments on NW architecture?

Quote:
Originally posted by registering
Hi all,
I'm setting up a very simple network which currently has a
single linux box acting as the gateway between the LAN and
internet, with everything running on it. I'm planning to
put another system between it and the router for security,
...... {SNIP} ......
1) I figure running DNS (BIND) inside the LAN is safer, since
I can use NAT to route everything to the DNS server. Does that
make sense?
I can't see why having DNS running on a box internal to the LAN is going to be any more secure. Remember, port 53 UDP is going to be forwarded on the .1 machine to the .2 machine and so any malicious packets that may exploit holes in BIND (which there have been...) are going to be sent there anyway - no matter what OS is running on .1.

Maybe if you wanted it to be ultra secure, you could run BIND on a seperate machine which was filtered off from the LAN completely, and was connected to .1 from another interface so that if your BIND box was compromised, it wouldn't have access to your LAN.

But that really is over the top unless you're running a large corp. network... and if you are, why are you asking questions on here? ;-)

I'd leave your services on the first box to be honest, unless it's a question of load (as you mentioned with qmail). Actually running a router takes very little load - a P133 will take the load for most small businesses. It's when you start doing application level stuff that it hits it.

HTH
 
Old 06-07-2004, 08:42 AM   #3
registering
Member
 
Registered: Jun 2003
Location: Florida, USA
Distribution: Drake 10.1 Download
Posts: 182

Original Poster
Rep: Reputation: 30
Thanks for the feedback. And no, this is a very small network, as you guessed, and I'm not really a sysadmin, I've just been given those duties. So I'm learning as I go. Thanks again!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
2.6.12 out, comments in :) xushi Slackware 107 07-12-2005 07:16 AM
about c comments minil Programming 1 05-02-2005 01:32 AM
I need your comments! gcclinux Linux - Games 1 11-02-2004 05:23 PM
Comments Please bigjohn General 9 11-16-2002 10:32 AM
Comments Please webboss Linux - General 2 11-15-2002 07:23 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration