[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: basic question about firewall usage

On Sat, May 10, 2003 at 03:23:13PM +1000, Matthew Palmer wrote:
> On Fri, 9 May 2003, Jamin W. Collins wrote:
> Imagine, for example, that in order for the attacker to get in, they
> need to crash apache in some way.  Somebody's likely to notice that
> sort of thing.  Without a firewall (or with a firewall the attacker
> can fux0r with) they can punch a hole, install a backdoor, and then
> restart apache.  Downtime?  A couple of minutes.  But you're
> thoroughly r00ted, because s/h/it can get back in any time they like
> from now on, with you being none the wiser.
> With a real firewall in place, to get in to your machine to do any
> damage, they've got to crash apache each time and get in that way.
> "Somebody's gonna notice..."

No, they don't.  All they have to do is install a proxy that will
connect out rather than wait for a connection in.  In most non-DMZ
scenarios this will bypass the firewall as it's an outbound connection
from an allowed source.

> If you're attacking my arguments to make a DMZ look more acceptable,
> don't bother. 

I'm not, I simply don't agree that there's a significant difference
between services running on a firewall machine and services running on
systems behind the firewall but not in a DMZ.

> I know DMZs are a good thing, and for anyone watching this at home: If
> you can possibly wangle it, put all externally accessible machines in
> a DMZ which is totally untrusted by everything else.  Treat your
> external servers as though they were already cracked.


> All I'm saying is that servers on the regular internal network,
> secured by a serviceless firewall, are still better than externally
> accessible services on the firewall itself.  I hope you'll agree with
> that.

I still disagree.

Jamin W. Collins

Remember, root always has a loaded gun.  Don't run around with it unless
you absolutely need it. -- Vineet Kumar

Reply to: