[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: basic question about firewall usage

On Fri, 9 May 2003, Jamin W. Collins wrote:

> If a service being provided has a flaw in it that is exploitable, your
> network is vulnerable either way.  It's just a question of how
> vulnerable.  The only containment that would really work is constructing
> a DMZ, not simply moving the service being provided to another box.

A DMZ is always a good idea...

> > To further extend this, in theory, if you trust your firewall, then
> > you can run vulnerable services behind it and not have to worry so
> > much (I run test servers and so forth at home behind a firewal, yet I
> > implicitly trust my firewall to block access to it from the Internet,
> > so I feel - relatively - safe).
> This is only true if you don't provide access to these service through
> something such as port-forwarding.  In such cases running the service on
> the firewall is no different.  Sure it's still frown upon, but lack of

Running the service on another machine *is* different, because breaking the
service doesn't give the attacker the ability to remove whatever protections
the firewall has in place - for instance, the attacker can't fire up a proxy
on another port and start running spam and DoS attacks through it, because
your firewall will[1] be denying connections to all ports on the protected
machines except those it knows it should be allowing.  If you're port
forwarding, then unknown ports just bounce off your firewall's closed ports.

It comes down to what you're looking to protect in the main - your machines,
or your reputation on the internet.  If it's your machines, then cut your
internet cable, because allowing any service is a potential in on (at least)
that machine.  Segregating every externally-accessible machine into it's own
little DMZ will control the damage, but not eliminate it.

#include <disclaimer.h>
Matthew Palmer, Geek In Residence

Reply to: