DD> If you're serious about the Linux box being a router/firewall
DD> only take a look at one of the single diskette router
DD> distributions of it (LRP or Freesco or such). These boot from a
DD> wite protected floppy, load inot a RAM drive and run from
DD> there. If something odd happens, just reboot and it
DD> automatically runs a "clean" copy.

> I've thought of that, but it's not such a big deal with these
> fast CPUs and drives. I can run a backup for the entire drive in
> 3 minutes.

RG> I think you are missing the point Bob.

 The only advantage of the CD and RAM is that it is impossible to
corrupt the CD. You can still corrupt the RAM... which you can fix by
switching it off and startign again. My POINT, was that I can do the
same thing with a backup in 3 minutes... reformat the corrupted
drive and reload the whole thing. A few years ago, with slow hard
drives that would have been a major morning's work. Today, it is a
mere 3-minute's work.

 That's something else that surprised me, btw. This new computer has
a CD burner, and I can burn a CD in 4 minutes!

RG> For several years our firewall/router was the same machine as
RG> our Web, FTP and Email servers. Although it did a pretty good
RG> job, it wasn't the most secure system in the world because IF
RG> someone happened to compromise our firewall box they instanlty
RG> had access to all the other services running on the machine. In
RG> contrast, a dedicated firewall/router offers yet another level
RG> of protection.. In order to access our other machines, a hacker
RG> would first need to compromise the firewall and _then_ they'd
RG> need to do even more 'work' in order to gain access to the
RG> actual servers. The firewall box itself doesn't have ANYTHING
RG> on it other than the firewall code itself (and an SSH server
RG> for admin purposes). Oh, the SSH server is only accessable from
RG> within our own network. 

 I agree with this approach entirely. Until you mentioned that you
had a hardware firewall, I was talking about software firewalls. 
Linux or not, those are still vulnerable. Your aproach is fireproof.

RG> It ISN'T just a matter of the time it takes to recover from a
RG> backup that is an issue, because on a production machine ANY
RG> backup is always going to be a little out of date. No big deal
RG> for most home users, but a very big issue for those of us
RG> running online webstores, etc.

 I am talking about *ME*, running a PC which has to be totally
secure if I connect to the net. Once I set up my Linux server, it will
never change... all the changes will take place on theprotected
Windowsmachine. If I lose a bit of mail... stiff. This latest
discussion was over the use of a CD-booted Linux for improved
security. For me, there is no advantage in that.

RG> We perform daily, weekly and monthly backups (fully automated
RG> of course) and even recovering from a daily backup file (due to
RG> hardware failure) takes a LOT longer than '3 minutes' if/when
RG> we have to manually restore orders, etc that are up to 24 hours
RG> old.

 I'm not advocating that you change your system to mine. Why do you
expect me to change *my* system to yours?

Regards,
Bob


--- BQWK Alpha 0.5