Tim wrote: >>> You may not want to run a webserver on your firewall from a security >>> standpoint, but that aside... > > Timothy Murphy: >> Is it safer to run shorewall on another computer behind the firewall? > > Shorewall is what configures your firewall, it's done on the same > computer. Sorry, I mis-wrote yet again. What I meant to say was: Is it safer to run a web-server (httpd) on another computer, rather than on the machine running the firewall? >> I'd be interested in any information - eg pointers to documentation - >> on making a home web-server secure (or more secure, at least). > > The basic advice is to run something separate as a firewall between the > WWW and you. If you wanted to be really safe, and run a public web > server, then you'd run the web server on a separate box, too. > > It goes without saying that the web server must be isolated from your > LAN, for that to be of any benefit. You route connections through your > firewall to it, and allow it to respond back out again. But you don't > allow it access to any other part of your network. > > That way, if someone exploits your firewall (if possible), all they do > is muck up the firewall. Likewise, if someone exploits the web server, > all they do is muck it up. They're not able to muck up your other > terminals and servers, because they don't connect to them. I still don't really see any great advantage in running the web-server on a different machine to the firewall. Can one not restrict the part of the computer accessible through the web-server in a reasonably secure way? Actually, everything available through the web-server is fully backed up, so it would not be any great loss if someone hacked this. On the other hand, I would be upset if someone hacked into the main part of the computer running the firewall. -- Timothy Murphy e-mail (<80k only): tim /at/ birdsnest.maths.tcd.ie tel: +353-86-2336090, +353-1-2842366 s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland
