On Tue, 2005-04-05 at 14:26 +0200, Sasa Stupar wrote: > I want to hear your opinion on the following net configurations: > 1. cablemodem -> router -> server in DMZ > -> LAN users > 2. cablemodem -> router/server -> LAN users > > Which one is more secure and what are the risks on each one? > #1 is generally better. Why? In #2, your web server software could be hacked, for example, and then your entire network is unprotected and open to the intruder. In #1, if your web server is hacked, then that one box is hacked and the rest of the network is protected by the router/firewall. Firewalls should have as little as possible installed on them. Many/most cheap hardware firewalls do not have proper DMZ's, so a properly-configured Linux box is your best solution. I use Fedora Core 3 boxes with Shorewall and three or more NIC's to do this, but there are certainly other ways to peel that potato. Cheers, -- Rodolfo J. Paiz <rpaiz@xxxxxxxxxxxxxx>
