View Single Post
  #3   (View Single Post)  
Old 4th December 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,974
Default

I can't speak to FBSD or to jails, but I can address the separation of duties, responsibilities, and authority you give to your interconnected services. When they are separated, and limited to clearly defined communication paths, the chance of a problem with -- or a successful compromising attack against -- one of them, will only have those clearly defined communication paths in which to either cascade an integrity issue or for an attacker to use as a pursuit vector.

If you had a large infrastructure, with separate webservers, application servers, and DBMS servers, you might have a network with multiple tiers, and your Internet-exposed webservers would be in a "DMZ" network, with firewalls that only permitted connections through your application servers. And your DBMS servers might be on a "Data" tier, with firewalls permitting only SQL queries and responses.

All for isolation. Your jail "infrastructure" should provide similar separation by function, with different components having different authority and access.
Reply With Quote