Date: Mon, 26 Nov 2001 18:58:33 -0500 From: The Anarcat <anarcat@anarcat.dyndns.org> To: Allen Landsidel <all@biosys.net> Cc: freebsd-security@freebsd.org Subject: Re: Best security topology for FreeBSD Message-ID: <20011126235832.GB1281@shall.anarcat.dyndns.org> In-Reply-To: <5.1.0.14.0.20011126175234.00aeb5e8@rfnj.org> References: <200111231250.fANCoha19105@cwsys.cwsent.com> <20011122031739.A226@gohan.cjclark.org> <200111231250.fANCoha19105@cwsys.cwsent.com> <5.1.0.14.0.20011126175234.00aeb5e8@rfnj.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--NMuMz9nt05w80d4+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon Nov 26, 2001 at 06:07:21PM -0500, Allen Landsidel wrote: >=20 >=20 > >Defense in depth. Examples: A glitch/security breach in Firewall1's > >ruleset/software does not necesarily expose the internal network. > >Any vulnerabilities in Firewall2 are harder to exploit when protected > >by Firewall1. >=20 > I have to say.. I've been biting my tongue on this topic, but I feel like= =20 > speaking up now. >=20 > The above paragraph is well and good for actual firewalls (like you find = in=20 > vehicles) and actual DMZ's (like you find in a warzone) because depth mea= ns=20 > that many more layers of opposing force you have to fight your way throug= h. >=20 > It seems pretty meaningless however when applied to a network.(*) > > (*) I'm assuming that while the configuration may be different, the=20 > firewalls are virtually identical when it comes to the OS and Firewall=20 > itself; The same vulnerability is more than likely to exist in both, if i= t=20 > exists in either.=20 Agreed. But even then, you might put different software and OS on each machine. :) > If you have two different firewalls, not only in name=20 > and configuration but in OS and firewall software (ipfw/ipf/whatever) as= =20 > well, then You've got a 50/50 chance of either strengthening or weaking t= he=20 > net security to the inside of both. No. You have a 50/50 chance of strengthening you network. I don't think you can *weaken* (sp?) it since the machine are placed in serie, not in parallel. The alternative to the dual config is to put a single machine, right? How can you weaken your network by putting another gate, even if it is breakable as much as the first one? You might not strenghten, but you sure do not weaken. > The only case where the second example may prove more secure in protectin= g=20 > the inside network is if the machines in the DMZ are the ones compromised= ,=20 > and not the firewalls themselves. So we here have a case where the network is actually strenghten and no case where it is weaker. > Consider this, however: The DMZ is used to contain normally "insecure"=20 > services such as web, ftp and mail servers. The area past the firewall(s= )=20 > would ideally contain machines to which no incoming connections are allow= ed=20 > to be initiated. The flip side of this is that the machines furthest to= =20 > the inside are those that are most often operated by unclued users who ar= e=20 > historically very good at running trojans, viruses, and other malicious= =20 > code on their machines without proper investigation. In any event, the= =20 > first configuration, with the DMZ hanging off the firewall (or more likel= y,=20 > off the same switch/hub that the firewall is connected to) is likely more= =20 > secure than the two firewall option with the DMZ in the middle. Why? > If you run your DMZ servers with only things listening on the port that y= ou=20 > configured to listen on the port, and there are vulnerabilities in said= =20 > servers, then they will be accessible no matter which side of the=20 > firewall(s) the server is on; If not, what's the point in the service? Not. Some services are internal, some are external. And the firewall should control that, not the server. > So,=20 > the question is, would you rather have a machine compromised inside one o= f=20 > your firewalls, or outside of it?=20 Er... You're going to put this machine where then? Outside your firewall? I'm not following you. > Personally, I'd rather have it on the=20 > outside, where the chances of a compromise affecting the security of the= =20 > other machines in the DMZ is negligible, and the chance of compromising t= he=20 > security of machines inside the firewall is no higher than it was before= =20 > the attack took place. You'll have to define your "firewall"'s definition, I guess, because it is imprecise. Wether you have the single or dual configuration, you always have the machine "inside the firewall"...=20 Having a dual firewall setup is easier to setup, IMHO. Another advantage I see: if a machine is broke or DOS'd, you pull the plug and cut off only a *part* of the services. In other words, you don't have performances penalties for oustide and inside services. :) The 2 firewalls are still independant services and an attack that affects the first one *might* affect the second one, but not necessarly. And in order to do this, it must get to it in the first place, which means breaking into it. If you have a single firewall, it can be DOS attacked and the 2 functionalities (services) are affected. a. --NMuMz9nt05w80d4+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjwC1ygACgkQttcWHAnWiGc1JwCeLtFjO4i4FNMhiB44clC6LUAO TAcAn3hRtz4MjVIi/JWI2t/AGlfTqZJS =C4MH -----END PGP SIGNATURE----- --NMuMz9nt05w80d4+-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011126235832.GB1281>