[ILUG] Re: Networking Protocols

Gavin McCullagh ilug_gmc at fiachra.ucd.ie
Sun Feb 20 18:15:52 GMT 2005 

Hi,

In gmane.user-groups.linux.ilug.general, you wrote:
> I have a pc dedicated to the firewall functions  which is running RULE
> Linux as it is an elderly PII  PC1 is running Windows 2000 professional
> and PC2 is running Red Hat FC 3.

> What im pondering on is which protocols should be running where?  It 
> seems to be that this configuration will work with either DNS or DHCP 
> and with or without a Domain setup. So what would be the optimum way of 
> configuring this set up?

Your firewall is the one which will be most prone to attack. For this
reason it is common practice to put as little software as possible on it
(eg remove the compiler, run little or no services).  This is so that you
give the attacker as few attack routes as possible *and* if he does get in
by some means, to make it awkward for him/her to escalate privileges and/or
attack the rest of your network.

However, there's a question of balance.  Your Windows machine will clearly
be reliant on the linux ones.  The firewall must be running for it to have
net access.  If you want it to authenticate against an smb domain, you must
have the samba server on.  If you need and run internal DNS, that'll have
to be up.  If you have samba on the other linux machine, your windows
machine might be reliant on both other machines.  Same for email (assuming
you really need your own mail server, which you may not).

So, to use windows practically, you could need all three pcs booted.
That's both wasteful and inconvenient, though maybe you don't mind for some
reason.  If you put everything on the firewall you needn't have the other
linux machine booted.  You must also open ports between firewall and local
network to allow the services to work.

Personally, I run all these on my home firewall (the services are of course
blocked to the outside world) and have no intention of running two
always-on machines.  But I guess it would be more secure to do things that
way.

Hope that helps,

Gavin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mail.linux.ie/pipermail/ilug/attachments/20050220/03d46188/attachment.pgp

More information about the ILUG mailing list