[SOLVED] Will server on router be a security risk to computers also connected to router

[sKunKbad]

I have an old computer that I want to install Ubuntu Server Edition 8.04 on. I want to play with running a web server. I've read a lot of info online, and also bought a Ubuntu Server Administratioin book, but I would like to know if I plug this web server into my router, if the other 5 computers that are connected to the router will potentially be at risk. Is this more of a router config issue? The router is just a simple wired only linksys 5 port. There is also an 8 port switch connected because we have printers connected. Most computers connected are Windows XP, and there is one Win2K. There is some file and print sharing going on between the XP computers, in case that is critical info.

[corbin]

They should be perfectly safe....  As long as you have a fairly standard config....

[sKunKbad]

That is good to hear. I am very interested to see how this works, and how fast of a response I can get out of this computer running as a server.

[trq]

You'll only want to place your one server machine in the DMZ as defined somewhere in your routers config.

[sKunKbad]

You'll only want to place your one server machine in the DMZ as defined somewhere in your routers config.

 

My router will only allow one machine to be in the DMZ. From what I have read online, I thought I was just going to use port forwarding. This is the first time I have heard of DMZ. My router manual is clear that being in the DMZ exposes the server to all ports being forwarded, as opposed to only a limited amount of ports being forwarded via port forwarding. I take it, based on your response, that the DMZ is a safer place to put the server. I will read more about the DMZ vs. port forwarding, but any further advice or information is appreciated. Thank you.

[sKunKbad]

I take it, based on your response, that the DMZ is a safer place to put the server.

 

I took a few minutes to read up on "DMZ vs port forwarding", and it seems that DMZ is definitely worth avoiding if port forwarding can be set up correctly. Although the main advantage of DMZ seems to be ease of getting through the firewall... it seems like the more risky way of setting up the server. Ubuntu Server Edition 8.04 claims to have all ports blocked by default, so perhaps the DMZ is fine. What do you think?

[trq]

I suppose if your only hosting limited services on the server port forwarding is probably sufficient and the safer option. I usually place any server I need in a DMZ then let the firewall on the DMZ take care of security. I hate playing around with those router interfaces.

 

Before I started using virtual machines I would put a router machine (a base Linux install with NAT/firewall and a couple of NICs) in the DMZ and would have it forward ports/requests to machines on the other side of it. It just meant that everything could be could be controlled via the one Linux machine instead of needing to use my hardware routers interface.

 

These days I pretty much do the same, but instead I'm only using the one machine (the hardware node (HN)) and within it I have a series of virtual machines (VEs). My hardware node sits in the DMZ and hosts only the software needed to run the VEs + iptables (NAT/Firewall). Based on requests sent to the HN I can determine which VEs to expose.

 

But yeah, I'd probably suggest you start with a simple port forwarding scenario.

[sKunKbad]

Thorpe,

Thanks for your reply. I'm looking forward to a great learning experience by doing this, and I'm sure I will have other questions along the way.