Re: basic question about firewall usage
On Sat, May 10, 2003 at 03:23:13PM +1000, Matthew Palmer wrote:
> On Fri, 9 May 2003, Jamin W. Collins wrote:
> Imagine, for example, that in order for the attacker to get in, they
> need to crash apache in some way. Somebody's likely to notice that
> sort of thing. Without a firewall (or with a firewall the attacker
> can fux0r with) they can punch a hole, install a backdoor, and then
> restart apache. Downtime? A couple of minutes. But you're
> thoroughly r00ted, because s/h/it can get back in any time they like
> from now on, with you being none the wiser.
> With a real firewall in place, to get in to your machine to do any
> damage, they've got to crash apache each time and get in that way.
> "Somebody's gonna notice..."
No, they don't. All they have to do is install a proxy that will
connect out rather than wait for a connection in. In most non-DMZ
scenarios this will bypass the firewall as it's an outbound connection
from an allowed source.
> If you're attacking my arguments to make a DMZ look more acceptable,
> don't bother.
I'm not, I simply don't agree that there's a significant difference
between services running on a firewall machine and services running on
systems behind the firewall but not in a DMZ.
> I know DMZs are a good thing, and for anyone watching this at home: If
> you can possibly wangle it, put all externally accessible machines in
> a DMZ which is totally untrusted by everything else. Treat your
> external servers as though they were already cracked.
> All I'm saying is that servers on the regular internal network,
> secured by a serviceless firewall, are still better than externally
> accessible services on the firewall itself. I hope you'll agree with
I still disagree.
Jamin W. Collins
Remember, root always has a loaded gun. Don't run around with it unless
you absolutely need it. -- Vineet Kumar