Firewall and email/file servers on same machine?

Hi all,

I'm thinking of adding a linux based firewall to my home network, probably
on a mini-itx machine. I also need an email server and a file server that
can be accessed via a VPN.

Is it better from a security point of view to have physically separate
machines for the firewall and servers, or can these be in the same physical
machine without compromising security? I've heard that physically separating
them is good practice, but is there a genuine security reason or is this
just a maintenance issue?

Thanks!

Mark.

On 2005-01-15, markp <(E-Mail Removed)> wrote:
> Is it better from a security point of view to have physically separate
> machines for the firewall and servers

From a pure security point of view the firewall should be a firewall and
nothing else, of course this require multiple machines to run different
services and money-wise isn't very good.

Davide

--
To rephrase, spam is not the answer. Spam is the question.
Death is not the answer, but pretty close to it. --Vadik

markp wrote:

> Is it better from a security point of view to have physically separate
> machines for the firewall and servers,

Yes.

> or can these be in the same
> physical machine without compromising security? I've heard that physically
> separating them is good practice, but is there a genuine security reason
> or is this just a maintenance issue?

Yes, there is a genuine security reason and that reads: 'Run as few (public)
services as possible on a security device!' For any service offered by the
box sooner or later an exploit might be found. What is not there cannot be
exploited. Best is to run _no_ services on a firewall at all.

On the contrary more machines means more neccessary effort for
administration (installing patches, hardware maintainance etc.).

Wolfgang

markp wrote:

> Is it better from a security point of view to have physically separate
> machines for the firewall and servers, or can these be in the same
> physical machine without compromising security? I've heard that physically
> separating them is good practice, but is there a genuine security reason
> or is this just a maintenance issue?

Firewalls should not be running anything not related to the firewall
funtion. The more you install or run, the greater the possibility of a
security risk. Ideally, you'd even forward vpn and ssh access to another
box, rather than allow it on the firewall.

>> Is it better from a security point of view to have physically separate
>> machines for the firewall and servers, or can these be in the same
>> physical machine without compromising security?

Always, `but` .....

> > I've heard that physically separating them is good practice,
> > but is there a genuine security reason
> > or is this just a maintenance issue?

In case of Fire, blown fuse, Ethan Hunt hanging from the roof etc.
So yes it has a reason.

> Firewalls should not be running anything not related to the firewall
> funtion. The more you install or run, the greater the possibility of a
> security risk.

You are absolutely right, however. This guy is talking about his home
network here, unless he's dating Paris Hilton, chances are small he's
buying 2 separated racks with a 10mb fixed line between the 2
power redundant cisco's talking VRRP

> Ideally, you'd even forward vpn and ssh access to another
> box, rather than allow it on the firewall.

Again, you are absolutely right. However, since i (forced, then i got
hooked)
work with OpenBSD at work, i started to enjoy using there gurilia security
tactics Thats like running Apache (chrooted & Sioux banner change)
mysql (firewalled on UID - nifty pf feature) samba only to listning to a
internal
nic, pop3-ssl & imap-ssl, LDAP, ntp, postfix, shoutcast, NFS,bootp etcetc
now tell me that isn't fun. You will loose your job placing this at a
client, but
trust me when i say Crackers walk away mumbeling it HAS to be an
OBVIOUS honeypot heheh. Either way, if you`re no `slacker` try
going for the hardend linux distro that comes with chrooted deamons etc.

PS: Last week a client went for the 2 racks situation wich i mentiond above,
since security was the only way `to fly`. Even so, both racks contain the
same root ssh-keys since typing in the passwords over and over again was a
`hassle`. Yes i'm dead serious.


] Bas Keur
] `Energizer Bunny arrested, charged with battery`

In article <(E-Mail Removed) >,
(E-Mail Removed) (Davide Bianchi) writes:

> On 2005-01-15, markp <(E-Mail Removed)> wrote:
>
>> Is it better from a security point of view to have physically
>> separate machines for the firewall and servers
>
> From a pure security point of view the firewall should be a firewall
> and nothing else, of course this require multiple machines to run
> different services and money-wise isn't very good.

It isn't very bad, though. Chances are you can pick up a cast-off
box that isn't powerful enough to be of interest to anyone, but
which still makes a good firewall. I have such a box (150-MHz
Pentium, 64MB RAM) so I installed a second NIC, loaded OpenBSD
3.3, and it makes a jim-dandy firewall. Some people even do the
job with old 486 boxes. Keep your eyes peeled - you'll find boxes
suitable for firewall use that people would as easily give you as
throw into the trash.

--
/~\ (E-Mail Removed)lid (Charlie Gibbs)
\ / I'm really at ac.dekanfrus if you read it the right way.
X Top-posted messages will probably be ignored. See RFC1855.
/ \ HTML will DEFINITELY be ignored. Join the ASCII ribbon campaign!

Charlie Gibbs wrote:

>> From a pure security point of view the firewall should be a firewall
>> and nothing else, of course this require multiple machines to run
>> different services and money-wise isn't very good.
>
> It isn't very bad, though.**Chances*are*you*can*pick*up*a*cast-off
> box that isn't powerful enough to be of interest to anyone, but
> which still makes a good firewall.**I*have*such*a*box*(150-MHz
> Pentium, 64MB RAM) so I installed a second NIC, loaded OpenBSD
> 3.3, and it makes a jim-dandy firewall.**Some*people*even*do*the
> job with old 486 boxes.**Keep*your*eyes*peeled*-*you'll*find*boxes
> suitable for firewall use that people would as easily give you as
> throw into the trash.

My first firewall was a 486 DX2-66, running Slackware. Currently, I've got
a 166 MHz Pentium, running SuSE. It's got 3 NICs, for local lan, cable
modem and WiFi network. It's configured so that anything coming in from
WiFi is considered "hostile", just like the internet side. I can connect
to my home network, from outside, only by using SSH or VPN.
Since I don't run X directly on that box, it's performance is fine. If I
need to run an X app (the X version of Yast is much nicer than the ncurses
version), I can use SSH to connect from another computer and run the app
that way. I can also run ethereal the same way.

"Wolfgang Kueter" <(E-Mail Removed)> wrote in message
news:csb1b2$tbp$(E-Mail Removed)...
> markp wrote:
>
>> Is it better from a security point of view to have physically separate
>> machines for the firewall and servers,
>
> Yes.
>
>> or can these be in the same
>> physical machine without compromising security? I've heard that
>> physically
>> separating them is good practice, but is there a genuine security reason
>> or is this just a maintenance issue?
>
> Yes, there is a genuine security reason and that reads: 'Run as few
> (public)
> services as possible on a security device!' For any service offered by the
> box sooner or later an exploit might be found. What is not there cannot be
> exploited. Best is to run _no_ services on a firewall at all.
>
> On the contrary more machines means more neccessary effort for
> administration (installing patches, hardware maintainance etc.).
>
> Wolfgang


Thanks! I think that I'll set up a firewall only machine, and put other
stuff on another machine locally.

Mark.

Thanks to all who replied. From what has been said I think I'll set up a
firewall only machine and do all the file and email serving locally on
another machine.

Mark.

"markp" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi all,
>
> I'm thinking of adding a linux based firewall to my home network, probably
> on a mini-itx machine. I also need an email server and a file server that
> can be accessed via a VPN.
>
> Is it better from a security point of view to have physically separate
> machines for the firewall and servers, or can these be in the same
> physical machine without compromising security? I've heard that physically
> separating them is good practice, but is there a genuine security reason
> or is this just a maintenance issue?
>
> Thanks!
>
> Mark.
>

In article <(E-Mail Removed)>,
"markp" <(E-Mail Removed)> writes:
> Thanks to all who replied. From what has been said I think I'll set up a
> firewall only machine and do all the file and email serving locally on
> another machine.
>
> Mark.
>
> "markp" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Hi all,
>>
>> I'm thinking of adding a linux based firewall to my home network, probably
>> on a mini-itx machine. I also need an email server and a file server that
>> can be accessed via a VPN.
>>
>> Is it better from a security point of view to have physically separate
>> machines for the firewall and servers, or can these be in the same
>> physical machine without compromising security? I've heard that physically
>> separating them is good practice, but is there a genuine security reason
>> or is this just a maintenance issue?
>>
It has always been a truism that a firewall machine should be ONLY a
firewall machine. That's also not necessarily a reasonable situation
for a home machine. Assuming you've decided to find space for an extra
machine, it then becomes necessary to find space for 2 machines. And
while we're at it, it would REALLY be better to have a dedicate logging
host that accepts NO incoming connections, just a console, etc. It can
get out of hand, rapidly.

So let's take a slightly different situation...
About May 2003, I finally decided that maintaining a tight enough
firewall/server (Yes, I had space for *one* spare machine.) took more
due diligence than I really wanted to spend. So I bought a little blue
box, by Netgear. Actually, I specifically went up a few notches, and
got one with SPI, and other features that could almost make up for not
having a fully programmable firewall. Considering the events of Summer/
Fall 2003 I'm quite glad I got it.

It has always been my intent to re-open some remote connections, so I
can get to my machines at work or when travelling. I haven't gotten
around to it yet, so I have a hardware firewall and behind that a dual-
homed server that can be turned into a secondary firewall.

Any comment on using a combination of secondary firewall that also
provides home lan (no external) services? If/when I allow any sort of
external connection, it will probably only be a filtered OpenVPN
endpoint.

Dale Pontius