[prev in list] [next in list] [prev in thread] [next in thread] 

List:       suse-security
Subject:    Re: [suse-security] RFC: Network Setup
From:       Robert Davies <rob_davies () ntlworld ! com>
Date:       2002-02-05 11:42:09
[Download RAW message or body]

On Tuesday 05 February 2002 09:23, Stefan Nauber wrote:

> thanks for your replay. You advised me of not connecting the administrative
> network to the normal LAN. I understand that there is a security risk but
> this was, what I actually wanted to do. The idea was, that I wanted to
> administer the computers from my desktop without interference  with the
> productive traffic.

Personally I think it's a good idea, and Dlink made some 4 port 100BaseT 
cards which were very useful for this sort of purpose.  This kind of backend 
network should also use an ether switch if at all possible, they cost little 
more than hubs, and reduce eavesdropping possibilities even further.  
Furthermore using 4 port cards, additionally allows things like web server to 
communicate with backend databases or file servers using a seperate server 
network, at little extra cost (and co-located rackspace is cheaper without IP 
address or traffic allocation).

The hosts in the DMZ, should not route packets between the networks, and 
should only permit admin access through the admin host 'bastion' on that 
network, and the administration network  should not be trusted by that admin 
host, packet filtering should be in place.

Any probing causing packets to be dropped, in that admin network should 
trigger some immediate, and heavy attention.

Rob


[prev in list] [next in list] [prev in thread] [next in thread]