Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 26 Nov 2001 18:07:21 -0500
From:      Allen Landsidel <all@biosys.net>
To:        freebsd-security@freebsd.org
Subject:   Re: Best security topology for FreeBSD
Message-ID:  <5.1.0.14.0.20011126175234.00aeb5e8@rfnj.org>
In-Reply-To: <20011124224858.B228@gohan.cjclark.org>
References:  <200111231250.fANCoha19105@cwsys.cwsent.com> <20011122031739.A226@gohan.cjclark.org> <200111231250.fANCoha19105@cwsys.cwsent.com>

next in thread | previous in thread | raw e-mail | index | archive | help


>Defense in depth. Examples: A glitch/security breach in Firewall1's
>ruleset/software does not necesarily expose the internal network.
>Any vulnerabilities in Firewall2 are harder to exploit when protected
>by Firewall1.

I have to say.. I've been biting my tongue on this topic, but I feel like 
speaking up now.

The above paragraph is well and good for actual firewalls (like you find in 
vehicles) and actual DMZ's (like you find in a warzone) because depth means 
that many more layers of opposing force you have to fight your way through.

It seems pretty meaningless however when applied to a network.(*)

Chances are if an attacker can compromise "Firewall1" then they can use an 
identical exploit/hole/vulnerability to exploit "Firewall2."  In war, there 
are such exploits, and they're called bullets.  They are not however, magic 
bullets, that always hit their targets and disable them in such a way that 
they immdiately talk when captured.  In the IT definition, they are exactly 
that.  It would be best if we just stick to the terminology as it's been 
adopted, but try and not carry the metaphor too far.. it just falls down.

The only case where the second example may prove more secure in protecting 
the inside network is if the machines in the DMZ are the ones compromised, 
and not the firewalls themselves.

Consider this, however: The DMZ is used to contain normally "insecure" 
services such as web, ftp and mail servers.  The area past the firewall(s) 
would ideally contain machines to which no incoming connections are allowed 
to be initiated.  The flip side of this is that the machines furthest to 
the inside are those that are most often operated by unclued users who are 
historically very good at running trojans, viruses, and other malicious 
code on their machines without proper investigation.  In any event, the 
first configuration, with the DMZ hanging off the firewall (or more likely, 
off the same switch/hub that the firewall is connected to) is likely more 
secure than the two firewall option with the DMZ in the middle.

If you run your DMZ servers with only things listening on the port that you 
configured to listen on the port, and there are vulnerabilities in said 
servers, then they will be accessible no matter which side of the 
firewall(s) the server is on; If not, what's the point in the service?  So, 
the question is, would you rather have a machine compromised inside one of 
your firewalls, or outside of it?  Personally, I'd rather have it on the 
outside, where the chances of a compromise affecting the security of the 
other machines in the DMZ is negligible, and the chance of compromising the 
security of machines inside the firewall is no higher than it was before 
the attack took place.

(*) I'm assuming that while the configuration may be different, the 
firewalls are virtually identical when it comes to the OS and Firewall 
itself; The same vulnerability is more than likely to exist in both, if it 
exists in either.  If you have two different firewalls, not only in name 
and configuration but in OS and firewall software (ipfw/ipf/whatever) as 
well, then You've got a 50/50 chance of either strengthening or weaking the 
net security to the inside of both.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20011126175234.00aeb5e8>