dmz server setup - opinions
jeff.dyke at gmail.com
Mon Aug 1 01:54:06 GMT 2005
Chuck Swiger wrote:
> Jeff wrote:
>> I realize this may be partial religion and then potentially bias due
>> to the list but here goes anyway.
> There is nothing wrong with bias, per se, if you are aware that it
> exists. :-)
>> I need to build a DMZ server, of sorts, that will sit on the public
>> internet. It will take in data from embeded devices and in turn
>> services from behind a firewall will pull data from it to later
>> process. The main processes that i need to run are ftpd,httpd,
>> possibly smtpd(sasl2,tls), and later proprietary code that talks to
>> the embeded devices.
> A "DMZ server" implies you are setting up a "screened public subnet"
> along with a backend LAN subnet. If you are setting up a firewall with
> three interfaces, OK, but you should avoid running any services on that
> box except for IPFW/dummynet/PF/ALTQ/whatever.
> If you are setting up a box that has two interfaces, one with a public
> IP and one doing NAT to a private LAN subnet, that is still a firewall,
> but you don't have a DMZ.
understood, thats the reason for the 'of sorts'.
> If need be, you can run proxy services on that box, but it still would
> be better from the standpoint of security to run them on an internal box
> via NAT forwarding of whatever ports are needed.
>> Originally i was thinking of using OpenBSD, as it seems to lend itself
>> very nicely to the public but secure environment. On the other hand,
>> if i were to use FreeBSD, i could jail each process, granted i could
>> also chroot each process in OpenBSD and httpd is already done for me.
>> I will be running a firewall on the box either way and will also have
>> sshd and rsyncd running, only allowing access from the internal network.
>> I have move expierence with freebsd, but my limited knowlegdge based
>> on an install and configuration of openbsd3.7 has made me comfortable
>> with it as well.
>> Any opinions on which OS is better suited for the task? Security and
>> reliablity are the foremost concers( aren't they everyones ) and i
>> think both OS are more then up to the task.
> Both OSes are up to the task. If you are going to just set up a
> firewall, using OpenBSD would be an easy choice.
> However, it sounds like you plan to install at least your custom
> software, a web server, and several other 3rd-party pieces: FreeBSD
> ports makes doing that and keeping it up-to-date securely very easy via
> portaudit & portupgrade.
> Many people seem to value things like "cost" and "performance", or even
> "convenience", more highly then they value "security" or "reliability".
> Don't take this for a suggestion to change what you are doing, however.
true. Cost is just my time, and i feel performance between the two is
negligible( Dell 750 Pentium 4 3GHz, 1G Ram 2 73G Drives RAID 1 ). I'd spend
extra time/money, within reason, for security and reliability...how's it go?
pay me now, or pay me later....heh.
I appreciate the input. I'm now leaning going back inside the firwall with
this, with freebsd, using jails for httpd/ftpd and allowing the current external
firewall to continue its work using NAT and if i need the DMZ, set up an actual
one, not just a public cache server, as i had explained here.
More information about the freebsd-questions