I can't speak to FBSD or to jails, but I can address the separation of duties, responsibilities, and authority you give to your interconnected services. When they are separated, and limited to clearly defined communication paths, the chance of a problem with -- or a successful compromising attack against -- one of them, will only have those clearly defined communication paths in which to either cascade an integrity issue or for an attacker to use as a pursuit vector.
If you had a large infrastructure, with separate webservers, application servers, and DBMS servers, you might have a network with multiple tiers, and your Internet-exposed webservers would be in a "DMZ" network, with firewalls that only permitted connections through your application servers. And your DBMS servers might be on a "Data" tier, with firewalls permitting only SQL queries and responses.
All for isolation. Your jail "infrastructure" should provide similar separation by function, with different components having different authority and access.
|