[Gllug] DHCP/Firewalls

[Daniel Fairs]

Sorry, but I have to say: No No No! ;o)

Our internal network changes frequently (don't ask) so DHCP is a must
(incidentally, we are using 192.168.blah.blah). Putting web servers on the
internal network and port forwarding is ok EXCEPT you can only have one of
each type of server, and if that server *is* compromised (via a format
string vulnerability or something, which *can* come in on the allowed port)
then you've got attackers running around on your internal network. Which
consists of Windows boxes, so that would Not Be A Good Thing.

However, all opinions are welcome :)

Cheers,
Dan

> -----Original Message-----
> From: gllug-admin at linux.co.uk [mailto:gllug-admin at linux.co.uk]On Behalf
> Of t.clarke
> Sent: 23 August 2001 14:02
> To: gllug at linux.co.uk
> Subject: [Gllug] DHCP/Firewalls
>
>
> ---------------------------------------
> Message from:-
> Tim Clarke  (tim at seacon.co.uk)
> Seacon Holdings plc Group, London, U.K.
> Telephone: +44 (0)1474 320000
>       Fax: +44 (0)1474 329946
> ---------------------------------------
>
> Daniel Fairs wrote re use of DHCP with a firewall ....
>
> Lots of different ways to skin the cat, no doubt, but you could consider
> using 192.168....... addresses for your internal machines, statically
> assigned, and not use DHCP at all. Depends how big your internal
> network is I
> suppose.   If you use 192.168 addresses for your web and mail servers, you
> can use port-forwarding on the firewall. This *should* keep them
> nice and safe
> from outside attack, since only traffic to port 80 etc will reach them.
> On that basis you may not even need to put the servers on a
> separate ethernet.
>
> Of course I culd be totally wrong on all this !!
>
> Tim
>
> --
> Gllug mailing list  -  Gllug at linux.co.uk
> http://list.ftech.net/mailman/listinfo/gllug
>


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug