Port Forwarding vs. Running Servers on Firewall
Keith Mastin
kmastin-PzQIwG9Jn9VAFePFGvp55w at public.gmane.org
Fri Sep 5 17:44:20 UTC 2003
> Hi,
>
> Security conscious system administrators seem to favour running as few
> services on the firewall as possible and prefer to put things like http,
> smb, smtp, pop, etc. on boxes in a DMZ or behind the firewall. I guess
> the theory is the more services that are run on the firewall, the
> greater the points of vulnerability, but, if one must allow access to
> http, smtp, and pop from the outside world, one still has to open those
> ports on the firewall and forward them to the appropriate machines on
> the inside network. Setting aside the DMZ issue for the time being,
> what, if any, advantage is there to running these services on machines
> behind the firewall? Is it just that if the firewall is compromised,
> the bad guy still has to crack the machine on the inside or is there
> something I am missing?
If the bad guy can crack into one of the services that is running as root,
then he also has access to all the firewall information too. He can change
the scripts to allow access into any of the machines, not only the server.
If all traffic for a specific service is forwarded to another machine,
then it's the internal machine and not the firewall that he has access to.
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list