 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
On Sat, Apr 02, 2005 at 01:40:01AM -0500, David Kramer wrote: > I'm reading up on the whole DMZ concept, and it seems like a > straight pass-through, so what does that buy you over hooking up the > machine straight to the DSL modem? It means I don't have to > configure individual ports to go to my server, but it adds no > protection to my server either. The DMZ concept is simple, really. It is a separate network which can access and be accessed by the Internet, and it can be accessed by your internal network, but it can not directly access the internal network (it can respond to requests, but not initiate them). The purpose of this is so that if your DMZ hosts are compromised, they can't easily be used to gain access to your internal network. Naturally, the firewall should be configured such that NO access from the Internet to your internal network is permitted... Originally, IIRC, DMZs were constructed with their own separate firewall from the one which protected the internal network... But these days most sites find it a lot more economical to use a single, triple-homed firewall for connecting the three networks. That said, I have only ever used commercial grade firewalls like the Cisco PIXX, or Linux boxes, to implement my firewalls (and DMZs), so I don't have any experience using these home appliance gadgets, nor any knowledge of how they implement their DMZs. I've heard that the DMZ implemented in SOME such devices is sub par, but I can't speak to that in any useful way. I'd use a Linux box for this, personally. [Or possibly, since I've been looking for an excuse to learn the various *BSDs, I might go that route next time I need to build a DMZ.] > I can probably ditch rsync, And you probably should. rsync can be run over ssh, and that's the safest way to do it, unless you need to provide anonymous rsync access for some reason... > I also forget how AIM/Yahoo/MSN messengers are working without holes > for their protocols. Do they go over port 80? MSN can, and I believe yahoo can, but I don't use AIM so I'm not sure. Some protocols may or may not loose some functionality when using the HTTP method to connect... > I assume I should continue to run SuseFirewall on my server even if it's > protected by the router, right? Sure, it provides extra protection in case someone uses the non-disableable backdoor password in your appliance to open up all your ports... ;-) [I'm not suggesting I know that yours has one, but there have been many network devices built which had such things...] In the event that your appliance is compromised in some way, the host-based firewall on the server will provide extra protection. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02 -=-=-=-=- This message is posted from an invalid address. Replying to it will result in undeliverable mail. Sorry for the inconvenience. Thank the spammers. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <http://lists.blu.org/pipermail/discuss/attachments/20050402/23469695/attachment.sig>
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
