As I understand it, one of the major reasons for having servers on the
bastion host itself is when the company has only a single IP address they
can publish. So their DNS entries for www.company.com, ftp.company.com
and their MX records, all have to point to the same machine - the bastion.
However, with NAT and proxies, I believe that these could then be passed
through to an internal machine(s). (or am i a hopeless dreamer?)
As far as saving money goes, why not use the TIS FWTK proxies on the
bastion to do this work? Or are you saying that they don't want to spend
the money to buy a dedicated box to run the firewall? If that's the case,
then it will have to come down to a cost-of-firewall vs cost-of-breakin.
ps whilst i'm here, my names for firewall admins are:
o goalkeeper (as in football (i mean soccer)) and the last ditch defense on
o scapegoat :-)
It all just depends on whether it is working or not :-)
> >> Ideally, in our situation, the
> >> bastion host would be the firewall, the WWW server, the ftp server, the
> >> Usenet news server, etc... Is this completely unrealistic?
> >It's quite realistic... I did it last week. =)
> It is not recommended to have various servers running on the bastion host
> based firewall.
> The firewall runs stripped down versions of various servers while full
> fledged servers are recommended to run inside the network.
> This is done mainly for security reasons. For example, if firewall is configured
> as mail server, information about the users will be available in alias file
> on the firewall. If hacker breaks-in, he would get information about all the
> emails users on the network. Later he would try breaking the passwords etc....
> I would like to invite more comments on this issue from members
> of this newsgroup because generally the network administrator in an
> emaphsises on having different servers(other than firewall) for various
> applications for reasons mentioned above while management presses to use
> for all other servers ( like WWW ,NNTP, ftp etc) and save money.
> Regards and TIA
> Vinay Sawarkar vinay @