[Pauldotcom] network architecture question
dninja at gmail.com
Sat Oct 24 15:08:30 UTC 2009
I've put together a small network with a bunch of VMs running on a
single host. As all the VMs talk through the host machine I've made
that as a kind of DMZ. I've got Snort running on it and want to use
BASE as well. I want BASE to be only accessible from inside the
network. My architecture question is, where do I install the web and
My options are:
1. db and web server on a VM and have db listen on port so Snort can
report into the database
2. db and web on the DMZ
3. db on the DMZ and web on another machine.
With 1 both db and web are tucked away on their own machine so the DMZ
is only running the minimum of servers, the bad side is having a hole
through to db gives an in to that machine.
With 2 no other machines are exposed but I'm running extra software on
the DMZ and the more things running the potentially weaker it is
With 3 the other machine is reaching out to the database so there
doesn't need to be any inbound holes to the web machine but the DMZ is
running the extra service.
Which of these three options is best? I think I prefer number 3 as the
internal machine doesn't need any inbound holes but can still collect
data from the db.
I know in this isn't a real DMZ and if the host is compromised the
whole thing falls so this is more of a thought exercise.
More information about the Pauldotcom