PaulDotCom mailing list archives
network architecture question
From: dninja at gmail.com (Robin Wood)
Date: Sat, 24 Oct 2009 16:08:30 +0100
I've put together a small network with a bunch of VMs running on a single host. As all the VMs talk through the host machine I've made that as a kind of DMZ. I've got Snort running on it and want to use BASE as well. I want BASE to be only accessible from inside the network. My architecture question is, where do I install the web and db server? My options are: 1. db and web server on a VM and have db listen on port so Snort can report into the database 2. db and web on the DMZ 3. db on the DMZ and web on another machine. With 1 both db and web are tucked away on their own machine so the DMZ is only running the minimum of servers, the bad side is having a hole through to db gives an in to that machine. With 2 no other machines are exposed but I'm running extra software on the DMZ and the more things running the potentially weaker it is With 3 the other machine is reaching out to the database so there doesn't need to be any inbound holes to the web machine but the DMZ is running the extra service. Which of these three options is best? I think I prefer number 3 as the internal machine doesn't need any inbound holes but can still collect data from the db. I know in this isn't a real DMZ and if the host is compromised the whole thing falls so this is more of a thought exercise. Opinions please. Robin
Current thread:
- network architecture question Robin Wood (Oct 24)
- network architecture question bhoff at itworldclass.com (Oct 24)
- network architecture question Robin Wood (Oct 24)
- network architecture question bhoff at itworldclass.com (Oct 24)