dmz server setup - opinions

Chuck Swiger cswiger at mac.com
Sun Jul 31 16:37:11 GMT 2005 

Jeff wrote:
> I realize this may be partial religion and then potentially bias due to 
> the list but here goes anyway.

There is nothing wrong with bias, per se, if you are aware that it exists. :-)

> I need to build a DMZ server, of sorts, that will sit on the public 
> internet. It will take in data from embeded devices and in turn services 
> from behind a firewall will pull data from it to later process.  The 
> main processes that i need to run are ftpd,httpd, possibly 
> smtpd(sasl2,tls), and later proprietary code that talks to the embeded 
> devices.

A "DMZ server" implies you are setting up a "screened public subnet" along with 
a backend LAN subnet.  If you are setting up a firewall with three interfaces, 
OK, but you should avoid running any services on that box except for 
IPFW/dummynet/PF/ALTQ/whatever.

If you are setting up a box that has two interfaces, one with a public IP and 
one doing NAT to a private LAN subnet, that is still a firewall, but you don't 
have a DMZ.

If need be, you can run proxy services on that box, but it still would be 
better from the standpoint of security to run them on an internal box via NAT 
forwarding of whatever ports are needed.

> Originally i was thinking of using OpenBSD, as it seems to lend itself 
> very nicely to the public but secure environment.  On the other hand, if 
> i were to use FreeBSD, i could jail each process, granted i could also 
> chroot each process in OpenBSD and httpd is already done for me.
> 
> I will be running a firewall on the box either way and will also have 
> sshd and rsyncd running, only allowing access from the internal network.

OK.

> I have move expierence with freebsd, but my limited knowlegdge based on 
> an install and configuration of openbsd3.7 has made me comfortable with 
> it as well.
> 
> Any opinions on which OS is better suited for the task?  Security and 
> reliablity are the foremost concers( aren't they everyones ) and i think 
> both OS are more then up to the task.

Both OSes are up to the task.  If you are going to just set up a firewall, 
using OpenBSD would be an easy choice.

However, it sounds like you plan to install at least your custom software, a 
web server, and several other 3rd-party pieces: FreeBSD ports makes doing that 
and keeping it up-to-date securely very easy via portaudit & portupgrade.

Many people seem to value things like "cost" and "performance", or even 
"convenience", more highly then they value "security" or "reliability".  Don't 
take this for a suggestion to change what you are doing, however.  :-)

-- 
-Chuck

PS: What is your security policy?  If this doesn't have a clear answer to you, 
start with identifying what it is you are trying to protect, and what it is 
that you are trying to protect whatever-that-is against.  Then read:

http://www.ietf.org/rfc/rfc2196.txt

More information about the freebsd-questions mailing list