On Monday, 17.01.2005 at 14:05 +0000, Robert Brockway wrote: > >4. Configure the firewall as a 'forwarding' firewall, so that it doesn't > >actually listen for any services of its own, with the exception of SSH > >from a single IP on the 'GREEN' interface. > > Best practice has it that no services are run on the firewall (except ssh) > to avoid someone being able to get in behind the firewall and bring it > down. Do compare this though to the security of letting someone _through_ > the firewall. If you are letting people into your internal network it is > just asd bad unfortunately. A DMZ is needed for decent security but that > may not be viable in a home setup. Security is about assessing risk vs > the effort you want to go to (or can afford). We're doing the classic DMZ 'three-armed' network layout, nothing comes directly into GREEN; the DMZ will house the publically-accessible servers. > >Possible additional measures: > > > >5. Fine-tune kernel for routing and firewall behaviour; > > You're unlikely to stress the box enough to warrant it IMHO. Firewalling > is packet evaluation and passing. If you are loading the box so much that > you need to fine-tune it then getting a bigger box is a good plan. That's a good point ... :-) > >6. Allow firewall to use UDP on port 514 outgoing, to send syslogs to a > >host on the GREEN network for logging. > > I wouldn't send syslog information outside the network unencrypted if I > had a choice. There are ways to encrypt the data once it leaves the > network. Oh, yes, I agree - by GREEN I mean the local private network of course. My use of 'outgoing' was misleading ... :-) Thanks for your comments. Cheers, Dave. -- Dave Ewart - davee@sungate.co.uk - jabber: davee@jabber.org All email from me is now digitally signed, key from http://www.sungate.co.uk/ Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92
Attachment:
signature.asc
Description: Digital signature