|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-users] OT: Network Security
Hi Everyone,
I've labeled this as Off-Topic as it's not really directly related
to Xen, however I know the folk here are very experienced and helpful and my
solution is going to be implemented on Xen. Please bear with me.
I'm trying to decide where to put my web server and DB server in my
network. My current idea is to have an Apache Reverse Proxy in a DMZ, and put
the "real" web server in a seperate subnet, along with the DB server. So it
looks like this:
Internet
:
<NAT Port Fordwarding>
:
**************************************
DMZ: Reverse Proxy Server (which proxies to "real" web
server)
**************************************
:
:
:
********************************************
Seperate Subnet: "Real" Web server and Database Server
********************************************
I'm in a bit of a debate with some people. Since the whole setup
above will be on a single Xen box, and since I'm using filtering on my Dom0
bridge, my argument is that seperating into different subnets is irrelevant,
since I'm able to tightly restrict communication between hosts on the same
subnet (My current rules don't even allow IP or MAC spoofing). Some people have
told me to put both reverse proxy and "real" web server in DMZ, and put DB on
its own subnet.
Woudn't it be just as secure to put everything on the same subnet,
and make use of my Dom0 filtering bridge to filter communication between guests?
Or is there some "magicness" that separating into different subnets
has?
Thanks _______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |