Not to be a smart ass but why are you worrying? Since you are willing to allow a windows box to be your proxy server the point is moot. Windows has such poor security that worrying about Linux is funny. I would never put a windows box in direct contact with the internet EVER. Best solution: Firewall/Gateway/Proxy/IP Masq/DHCP boxen -> Linux tightened down (LRP or e-smith distro) Boxen must have at least 2 NIC's or up to 4 NIC's. NIC 1: Internet (enuf said) NIC 2: Web Server private network (192.168.0.x) NIC 3: Internal private area network (192.168.1.x) The DHCP server should serve IP addresses to each of the internal networks. IP Masq and routing rules NIC 1 port 80 to NIC 2 port 80 to specific machine NIC 3 traffic out to NIC 1 NIC 1 response traffic from NIC3 allowed back to NIC 3 (standard IP Masq rules) NIC 3 traffic out to NIC 2 NIC 2 response traffic from NIC3 allowed back to NIC 3 (standard IP Masq rules) All other traffic logged and dropped -----Original Message----- From: Mark Phillips [mailto:phillips@usa.net] Sent: Tuesday, September 04, 2001 2:54 PM To: Phoenix Linux Users' Group (E-mail) Subject: Network Security Question For all the network security gurus out there.... I have a network with 5 machines (Windows and Linux) connected to the Internet. I am currently using a Win 95 as a proxy server (commercial software - Wingate). I plan to add a Web server (apache, jsp, servlets, etc.) on one of the Linux boxes. I am new to Linux and learning a lot as I install, configure and use it! My question relates to the network configuration. I have thought of three options, and would like some opinions.... Option 1 Attach the Linux webserver to my internal network and open a port on the proxy server to allow access. The down side is that anyone who gains access to the Linux box will have complete access to my network. Since I am new to Linux and network security I do not know how secure my Linux box is, nor do I want to find out after the fact that it wasn't! Internet ----->(nic1)Proxy(nic2)---->(internal network with all machines on it) Option 2 Use the Linux/webserver as a router and put it between my proxy server and the Internet. This isolates the webserver from my network, so if it is compromised, then all I loose is what is on that box. I figure restoring the webserver/Linux box is good practice and a great learning experience....;) I would add a second NIC to the Linux/webserver box: Internet---->(nic1)Linux/webserver/router(nic2)---->(nic1)Proxy(nic2)---->(i nternal network with all machines on it) Option 3 Use the Linux/webserver as a router again (2 NICs) but put it between the proxy server and the internal network. This puts the stronger security device (proxy server, I think) as the front line of defense (some protection for the web server?). The proxy has not been hacked in over 5 years of operation, but I have never had a port open to my network before (e.g. I opened a port to allow people to visit my web server). Internet---->(nic1)Proxy(nic2)---->(nic1)Linux/webserver/router(nic2)---->(i nternal network with all machines on it) I am sure there are many other permutations - if there is a better one, please let me know! Thanks! Mark Phillips P.S. DO I need 2 NICs in the Linux box to act as a router? Is one sufficient? ________________________________________________ See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail. PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss