[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: basic question about firewall usage

On Sat, May 10, 2003 at 09:42:23AM +1000, Matthew Palmer wrote:
> On Fri, 9 May 2003, Jamin W. Collins wrote:
> > If a service being provided has a flaw in it that is exploitable,
> > your network is vulnerable either way.  It's just a question of how
> > vulnerable.  The only containment that would really work is
> > constructing a DMZ, not simply moving the service being provided to
> > another box.
> A DMZ is always a good idea...

Sure it is, but up to this point, no one (at least not that I noticed)
suggested using one.  Instead it was suggested to move the services off
to another box, which unless it's in a DMZ will not help one bit.

> > This is only true if you don't provide access to these service
> > through something such as port-forwarding.  In such cases running
> > the service on the firewall is no different.  Sure it's still frown
> > upon, but lack of
> Running the service on another machine *is* different, because
> breaking the service doesn't give the attacker the ability to remove
> whatever protections the firewall has in place

Incorrect.  If a service is flawed to allow a cracker to gain access,
and is not running in a DMZ chances are they now have free reign of your
network.  Sure the firewall is running on another machine but that makes
little difference.

> - for instance, the attacker can't fire up a proxy on another port and
> start running spam and DoS attacks through it, because your firewall
> will[1] be denying connections to all ports on the protected machines
> except those it knows it should be allowing.  If you're port
> forwarding, then unknown ports just bounce off your firewall's closed
> ports.

This only works if you're restrictive about the traffic you let out.  If
the box providing the services (or any other box on your internal
network) is allowed to make outbound requests, the cracker can simply
contect out to bypass the firewall.

> It comes down to what you're looking to protect in the main - your
> machines, or your reputation on the internet.  If it's your machines,
> then cut your internet cable, because allowing any service is a
> potential in on (at least) that machine.  Segregating every
> externally-accessible machine into it's own little DMZ will control
> the damage, but not eliminate it.

A properly configured DMZ can not initiate an outbound connection of any
kind (to the internal network or the external Internet).  Thus, an
individual gaining access to a DMZ'd machine has access to only that
machine and nothing else.  Personally, I see a DMZ as acceptable.

Jamin W. Collins

Reply to: