[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [seul-edu] Slowest Computers and security risks



Thanks, Ken.  I am not so confident as to so boldly assert any of my 
humble understandings, but it seems like Dirk is headed in the right 
direction by separating out the services.

So, paraphrasing another wise man (Ken) each service should be 
segregated on separate machines with firewalls places in between types 
of services (web, internal, and internal confidential).  In this light 
I need a few more old machines to set up beside the four I have to 
split out more tasks and I will be able to do more (or be more secure) 
with even less (horsepower) than I was planning.

[1 internet firewall (PII 200) with a NIC to my DMZ (Celeron 300) with 
apache, sendmail and link to our curriculum provider and another NIC to 
our 2nd firewall (Celeron 350) which is also running proxy, Squid, DHCP 
and DNS.  The 2nd firewall has three other NIC's going to portmaster 
and modem bank for dial ups, the student network (with printers) and 
another machine (Celeron 200) for internal and internal confidential 
files]

Next question: Heat in the server room!

Jim Aird
On Wednesday, October 30, 2002, at 05:16 PM, Ken Barber wrote:

>> On Wednesday, October 30, 2002, at 11:12 AM, Dirk Schouten wrote:
>>> Our primary school server is a P200 with 32 mb ram.
>>> It runs apache, sendmail, router, firewall, MySQL, PHP. No
> problems.
>
> On Wednesday 30 October 2002 13:44, Jim Aird wrote:
>
>> I was once lernt by a wise man with convincing logic that your
>> combination of services may be a risky move.
>
> Wrong.
>
> There is no "may be" about it; it IS a risky move.  NEVER put ANY
> other services on a firewall.
>
> All of the other services you mentioned (above) have a long history
> of multiple vulnerabilities.  If any one of them gets cracked,
> you've got a door open to your entire network.  'tis not a pretty
> sight.
>
> In fact, for any server to which the world is allowed access, I
> strongly recommend that each service resides on its own separate
> server.  Web, mail, DNS etc. -- each needs to have its own dedicated
> server.  Same reason as above:  when (not if) one gets compromised,
> that is ALL the 'hacker' has gotten, instead of unfettered access to
> your entire Crown Jewels.
>
> Third, never store a database on a Web server.  Host it on a machine
> inside the firewall and give the Web server permission to query it.
>
> And yes, I am a nationally recognized, certified security expert.
> I'm available for work, if anyone is interested.
>
> Ken Barber
>
>
>