debiannerd
asked on
DMZ or not
Alright experts,
here is the problem
I've got one static IP Address, one server running linux (YAY!), an old machine that could always serve and a firewall (a real firewall machine)....
So I have on the linux server, the users of the network who access their home folders (through Samba), on the same server, runs an FTP server (vsftpd), so that the users from their home can still access their files on the server.
So knowing the security threat of FTP, I took some precautions security wise (so no worries at that level)... For the moment, my firewall "host" the public IP address and just does a port redirection to the server (for example port 21). So till then everything is fine...
my next step is to add a mail server.... so my option is I could still add another port forwarding on the firewall to the server... but then I am more wondering if I should not set up a DMZ.
My problem is that if I decide to set up a DMZ, i therefore need to have a second server, which will be in a DMZ and synchronize with the users of the internal linux server... this server in the DMZ can therefore be a mail server... however since the whole purpose of the FTP is to allowed users to access their home folder on the linux server, i might then run into a problem with setting a DMZ... or only if it is possible to still do port forwarding on the firewall even do, having a DMZ?
Also the question I had, when you set a DMZ, does it mean that ALL PORTS ARE OPENED ON THAT DMZ MACHINE... like know on my firewall with my present settings, only port 21 is opened...
thx for ideas and clarifications
here is the problem
I've got one static IP Address, one server running linux (YAY!), an old machine that could always serve and a firewall (a real firewall machine)....
So I have on the linux server, the users of the network who access their home folders (through Samba), on the same server, runs an FTP server (vsftpd), so that the users from their home can still access their files on the server.
So knowing the security threat of FTP, I took some precautions security wise (so no worries at that level)... For the moment, my firewall "host" the public IP address and just does a port redirection to the server (for example port 21). So till then everything is fine...
my next step is to add a mail server.... so my option is I could still add another port forwarding on the firewall to the server... but then I am more wondering if I should not set up a DMZ.
My problem is that if I decide to set up a DMZ, i therefore need to have a second server, which will be in a DMZ and synchronize with the users of the internal linux server... this server in the DMZ can therefore be a mail server... however since the whole purpose of the FTP is to allowed users to access their home folder on the linux server, i might then run into a problem with setting a DMZ... or only if it is possible to still do port forwarding on the firewall even do, having a DMZ?
Also the question I had, when you set a DMZ, does it mean that ALL PORTS ARE OPENED ON THAT DMZ MACHINE... like know on my firewall with my present settings, only port 21 is opened...
thx for ideas and clarifications
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This can be accomplished with one machine. Just setup the mail server on the same linux box and accept connections on the proper ports.
However being the way I am, I'd hook up your spare box to the Internet and set it up as a dedicated firewall.
I would run the mail server on the same box as the ftp/samba server as neither require a *huge amount of resources. You can then set up a simple iptables firewall on the gateway to drop incoming connections except to ports 21,(20,25,110 etc...) which would be forwarded to your ftp/samba/mail server (as well as preforming NAT).
If you're still worried about connections from the LAN, you could run another firewall on the ftp/mail/samba server locking things down from those on the inside.
In summary, an incoming connection from the Internet would have to pass through 2 firewalls to connect. First on the WAN interface of the gateway which is then forwarded to the ftp/samba/mail server. Then through the firewall local to the ftp/mail server. Connections originating from your LAN would need only to pass 1.
This doesn't exactly offer more security but it does make things a bit more scalable.
Given that you have a (valid)concern for security, it would be a good idea to look into encrypted authentication for an ftp session.
However being the way I am, I'd hook up your spare box to the Internet and set it up as a dedicated firewall.
I would run the mail server on the same box as the ftp/samba server as neither require a *huge amount of resources. You can then set up a simple iptables firewall on the gateway to drop incoming connections except to ports 21,(20,25,110 etc...) which would be forwarded to your ftp/samba/mail server (as well as preforming NAT).
If you're still worried about connections from the LAN, you could run another firewall on the ftp/mail/samba server locking things down from those on the inside.
In summary, an incoming connection from the Internet would have to pass through 2 firewalls to connect. First on the WAN interface of the gateway which is then forwarded to the ftp/samba/mail server. Then through the firewall local to the ftp/mail server. Connections originating from your LAN would need only to pass 1.
This doesn't exactly offer more security but it does make things a bit more scalable.
Given that you have a (valid)concern for security, it would be a good idea to look into encrypted authentication for an ftp session.
ASKER
would it be better to have another machine running the mail server so that if this one is hacked, then the server that holds the user's data is somewhat still secure...
or I can still run the mail server on the same server and yet have a network storage backup of the user's files and emails; I can still put a small firewall in between that server and the rest of the lan... so that no connection from the server to the lan will be allowed!
please let me know what do you think?