Running more than one service on one box

From: Michael Kjorling (michael@kjorling.com)
Date: 09/13/01


Date: Thu, 13 Sep 2001 18:26:52 +0200 (CEST)
From: Michael Kjorling <michael@kjorling.com>
To: Security-Basics <security-basics@securityfocus.com>
Subject: Running more than one service on one box
Message-ID: <Pine.LNX.4.33.0109131821450.11967-100000@varg.wolfpack>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Please apologize me if this has been asked before, but I haven't seen
it lately at least.

Right now several of my servers are serving more than one thing - one
does web, mail (both SMTP and POP), and DNS. Another does the same and
adds the usual risks with being a workstation as well.

I have been lobbying to split this up on more machines, and using one
per service. That is, let one machine handle the email (possibly
forwarding it to internal systems), let one handle the web, two for
DNS (master and slave) and so on. But we are talking about a pretty
small company so I am having a problem of getting the hardware this
would require. It took an actual break-in to one of the systems before
I was allowed to buy a dedicated hardware firewall, and I would prefer
not having to go through the same mess again.

Could someone please give me some hints as to what the actual security
implications would be of a setup like this? As it is, the company in
question is rather dependant on their Internet connectivity (web site,
email and so on), and I don't want to get into trouble if someone
breaks in through a DNS implementation problem and then escalates
their access and starts messing with the web site, for example.

Any help is greatly appreciated!

Michael Kj÷rling

- --
Michael Kj÷rling - michael@kjorling.com - PGP: 8A70E33E
Manager Wolf.COM -- Programmer -- Network Administrator
"We must be the change we wish to see" (Mahatma Gandhi)

^..^ Support the wolves in Norway -- go to ^..^
 \/ http://home.no.net/ulvelist/protest_int.htm \/

***** Please only send me emails which concern me *****

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For my PGP key: http://michael.kjorling.com/contact/pgp.html

iD8DBQE7oN5TKqN7/Ypw4z4RAkUwAJ43lou3pPNOtuDYx4Rp2DP64Tj1KQCeI0Tn
EDoYeS++weIT3TWxp3PnkWA=
=4/7X
-----END PGP SIGNATURE-----