[Dshield] Multi- Honed Servers

Russell Washington russ.washington at vaultsentry.com
Tue May 28 18:47:33 GMT 2002

If you're talking about multihoming servers whose purpose is something other
than security (or at least acting as a VPN gateway), this is probably a
really bad idea.  Security should be left to the firewall(s).

If you're talking about a server acting as a VPN gateway, that's still not
the best idea, but if it's behind a firewall itself you could restrict the
kind of traffic that can hit the 'public' side.

If you're talking about a server that *is* a firewall, like Checkpoint or
something, that's still not the best (my bias-- I don't like firewalls that
sit on top of a favorite-target OS with a well-known rep for security
holes), but it's better than the VPN gateway-only option.

Those are just some preliminaries, since you didn't describe what kind of
topology these multihomed boxes are going to live in... Hope it helps.

-----Original Message-----
From: rhilliard at t-systemsus.com [mailto:rhilliard at t-systemsus.com] 
Sent: Tuesday, May 28, 2002 9:27 AM
To: list at dshield.org
Subject: [Dshield] Multi- Honed Servers

I am researching the security practice of using multiple network 
interfaces in servers. I don't have a recommendation either way yet,  it 
seems that throwing more interface cards into a server may not be the best 
way to secure networks. It seems a little more like "hiding" a network as 
opposed to securing it. I am looking for any thoughts on this



Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list