From owner-freebsd-security Mon Nov 26 23:58:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from scaup.prod.itd.earthlink.net (scaup.mail.pas.earthlink.net [207.217.120.49]) by hub.freebsd.org (Postfix) with ESMTP id DF07937B420 for ; Mon, 26 Nov 2001 23:58:42 -0800 (PST) Received: from user-2ivfo8b.dialup.mindspring.com ([165.247.225.11] helo=gohan.cjclark.org) by scaup.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 168d8a-0005Gn-00; Mon, 26 Nov 2001 23:58:42 -0800 Received: (from cjc@localhost) by gohan.cjclark.org (8.11.6/8.11.1) id fAR1BOa00719; Mon, 26 Nov 2001 17:11:24 -0800 (PST) (envelope-from cjc) Date: Mon, 26 Nov 2001 17:05:04 -0800 From: "Crist J. Clark" To: Ahsan Ali Cc: security@FreeBSD.ORG Subject: Re: Best security topology for FreeBSD Message-ID: <20011126170503.C418@gohan.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20011125013812.9839.qmail@web10106.mail.yahoo.com> <200111242124560932.023F3386@home.24cl.com> <002801c17564$1b5e2a60$060aa8c0@pcgameauthority.com> <20011126001931.D222@gohan.cjclark.org> <001901c057dc$c69b9300$0100a8c0@ahsanalikh> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001901c057dc$c69b9300$0100a8c0@ahsanalikh>; from ahsan@khi.comsats.net.pk on Mon, Nov 27, 2000 at 12:12:06AM +0500 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Nov 27, 2000 at 12:12:06AM +0500, Ahsan Ali wrote: > What would the ideal security model for an ISP with a lot of sites and > services hosted be? A traditional ISP does (and should do) almost no filtering between its peer points and its clients. An ISP should protect its administrative network (accounting, marketing, etc.) and external service servers (SMTP, POP, HTTP, Radius, etc.) pretty much like any other large business. Some of these, like a Radius server, are not really seen in many other businesses and have different requirements (it is accepting requests from ISP owned machines on ISP owned network, but the network must be considered hostile since the customers have "raw" access to it). In an ISP environment, you have to depend on hardening hosts a lot more since many are required to operate in very insecure environments. And you might want to fix that clock of yours. Or you seem to be existing in some kind of time warp. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message