[Mailman-Developers] MailMan-Traffic

[J C Lawrence]

On 25 Apr 2002 13:23:16 -0400 
Tanner Lovelace <lovelace@wayfarer.org> wrote:

> On Thu, 2002-04-25 at 10:33, Chuq Von Rospach wrote:
>> On 4/25/02 3:11 AM, "Carson Gaspar" <carson@taltos.org> wrote:

>> But by moving the data from the list machine in the border zone
>> inside the main firewall, it also makes that data less prone to
>> attack from cracked machines elsewhere in the DMZ. If the data is on
>> the box, a cracker could potentially get it by cracking into the DMZ
>> anywhere and then cracking the database. By moving it and configuring
>> the firewalls properly, they'd have to crack ONTO the list machine
>> and then crack the data connection through the firewall.

> Don't forget, however, that since the list machine must get at the
> data somehow, you now have one more opening through your main firewall
> that must be secured/monitored/etc...  So, basically, it's a trade
> off.

Not necessarily.  Just put in an additional DMZ layer so that you have a
different network segment used for data servers than for public servers.
(I'm running exactly this setup with my home network: public net, public
DMZ net, private DMZ net, in-house net (desktops etc), 802.11b net --
each a physically distinct network segment).

-- 
J C Lawrence                
---------(*)                Satan, oscillate my metallic sonatas. 
claw@kanga.nu               He lived as a devil, eh?		  
http://www.kanga.nu/~claw/  Evil is a name of a foeman, as I live.