FW: [Malvern] Recommendations for File Servers

Richard Forster rick at forster.uklinux.net
Sun Oct 22 10:44:25 BST 2006 

Howdy

This is not trying to add to the excellent technical suggestions so far, 
  think of it more as a high level way of thinking without getting into 
the specifics of product names and version numbers etc. Or think of it 
as the insane ramblings of a madman.


Whilst you can have a PC directly connected to the internet and running 
a software firewall. You should remember that it _is_ software and all 
software sufficiently complex to be useful almost certainly has bugs[1].

If you do use a software firewall, you should use a well known and 
actively developed one, that way any bugs should surface and be fixed 
more quickly. Should.
I find that software ones are useful as you can get an immediate 
on-screen display of any unusual traffic.

So, if you start with the assumption that it will have bugs then in the 
situation described above you have just one layer of known buggy 
software between you and the internet.
A sensible course of action is then to use two layers of firewalling. 
Crucially, each using different technology so they are unlikely to be 
vulnerable to the same bugs. The best way of doing this is to use a 
separate box.

This strategy is known as defence in depth. At the risk of going 
overboard ;-) if you wanted to do this properly you start with a list of 
risks and address all those risks with a list of countermeasures.
Using an example from Stuart's email:
Risk: Viruses on the windows machine.
Countermeasure1: Virus checker on the client machines.
Countermeasure2: Nightly virus check on the file server.
Countermeasure3: Regular data backups in case something new wipes the 
data before the virus signatures get updated.
Countermeasure4: Educate your users not to run email attachments or 
download random software from the corners of the internet.

And so on.


If you are going to have some wired and some wireless connected machines 
then you must also think about where in the network you place your 
wireless access point. Putting it inside all your firewalls may not be a 
good idea as anyone in your neighbourhood can attempt to connect to what 
is after all just a box running some software...
But if your server and all your clients (laptops/desktops) are connected 
wirelessly then obviously you have to put the access point inside all 
the firewalls, giving your computers protection from the internet.


Cheers

Rick

[1] Prize to the best reworking of that into a quote worthy of Clarke.

More information about the Malvern mailing list