Re: basic question about firewall usage
On Sat, May 10, 2003 at 03:14:56AM +1000, Tarragon Allen wrote:
> In general practice, it's considered bad form to put any services on a
> firewall/router that aren't directly related to routing and packet
> filtering. The logic behind it is that the firewall itself should (in
> theory) have access to most services/machine on both sides of the
> firewall, and as such any extra services place on the firewall
> increase the risk that one of them has a vulnerability, and if the
> firewall is vulnerable, then so is the rest of your network.
If a service being provided has a flaw in it that is exploitable, your
network is vulnerable either way. It's just a question of how
vulnerable. The only containment that would really work is constructing
a DMZ, not simply moving the service being provided to another box.
> To further extend this, in theory, if you trust your firewall, then
> you can run vulnerable services behind it and not have to worry so
> much (I run test servers and so forth at home behind a firewal, yet I
> implicitly trust my firewall to block access to it from the Internet,
> so I feel - relatively - safe).
This is only true if you don't provide access to these service through
something such as port-forwarding. In such cases running the service on
the firewall is no different. Sure it's still frown upon, but lack of
access is lack of access. Just as access is access (unless you start
putting a content checking mechanism in place).
Jamin W. Collins
This is the typical unix way of doing things: you string together lots
of very specific tools to accomplish larger tasks. -- Vineet Kumar