[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Apache question



* Alfred Breull <puma_(_at_)_hannover_(_dot_)_sgh-net_(_dot_)_de> [001210 03:19]:
>> ISP <--> ppp <--> OpenBSD (firewall & web server) <--> LAN users
> Is the firewall & web server combination in one box recommended or
> just doable ? 

Well, I admit this is how my current setup works as well -- firewall and
ftp on the one box. And I have setup similar firewalls in the past --
firewall and sendmail+uucp, firewall and samba (when I was on the campus
network), and worse.

It is not ideal, though; in my own personal case, I just don't have the
resources to make a good NFS/ftp/web server for my shared data. In the
case with firewall/sendmail+uucp, it was again money -- the boss didn't
want to spend enough money to put together two boxes for the job.

Does it work? Usually. Does it often overly complicate matters? Yes.
What happens if the httpd, ftpd, sendmaild (heh), bind, etc get cracked?
The box is counted dead, and one starts over from scratch. If the
services are spread out onto other machines, a crack in one service
means that one service is lost -- and the others are not affected,
unless they depend upon that service in a way that the service has
'write' access. (And even then, the amount of damage may be fairly well
limited.)

Check out infrastructures.org (if I recall the address correctly) and
Jonathon Shapiro's PhD thesis if this interests you.
infrastructures.org deals with making every machine on the network
replacable in ten minutes. Shap's PhD thesis deals with read/write
issues among services, though he is really interested in a single
machine.

And, of course, Saltzer and Schroeder's paper The Protection of
Information (on Computers?) gives a good background.

-- 
``Oh Lord; Ooh you are so big; So absolutely huge; Gosh we're all
really impressed down here, I can tell you.''