Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 27 Nov 2001 14:31:38 +0000
From:      "WebSec WebSec" <secure21st@hotmail.com>
To:        freebsd-security@FreeBSD.ORG
Subject:   Re: Best security topology for FreeBSD
Message-ID:  <F136r0qUasw83tnJz0L000178a5@hotmail.com>

next in thread | raw e-mail | index | archive | help
See below

#######################################################################
To:	all@biosys.net
cc:	freebsd-security@FreeBSD.ORG
Date:	11/27/2001 12:40 AM
From:	owner-freebsd-security@FreeBSD.ORG
Subject:	Re: Best security topology for FreeBSD


>Imagine : You have Firewall_A letting packet X through.  Firewall_B is also
>letting packet X through, because X matches the rules on both that say the
>packet is safe.  Uh-oh, X was actually a malicious packet that (pardon a
>contrived example) crashes Firewall_B after running some code that it
>inserted before smashing the stack.
>

Can someone show me an example of "a packet" that can execute  arbitrary 
code on a firewall that only does filtering... :) Clearly, either I am too 
far behind or someone is too far ahead.... If you are implying a compromise 
of a proxy server, this same proxy should not be moving "outbound" traffic 
and the filtering firewall should be configured as such. This would prevent 
someone getting a shell access, at least immediately.  Note that you created 
"one" more hop and, therefore, have extra time for your IDS to detect the 
attack.  Mission accomplished!

In case you have a single firewall.....  you did not get that extra time.

To make it even more interesting, a "triple" firewall set-up help to 
mitigate many of the risk.  IT is, however, an overkill in many-many-many 
cases except where security really matters. :)

Now, a quad system will probably not be practical or at least I have not 
seen a situation where it would be practical :)



>>Yes. But a single firewall design is also vulnerable to this attack. >>The 
>>same way.

No it is not if it is properly configured and is not doing proxying...

> >> Consider this, however: The DMZ is used to contain normally "insecure"
> >> services such as web, ftp and mail servers.  The area past the
> >firewall(s)
> >> would ideally contain machines to which no incoming connections are
> >allowed
> >> to be initiated.  The flip side of this is that the machines furthest 
>to
> >> the inside are those that are most often operated by unclued users who
> >are
> >> historically very good at running trojans, viruses, and other malicious
> >> code on their machines without proper investigation.  In any event, the
> >> first configuration, with the DMZ hanging off the firewall (or more
> >likely,
> >> off the same switch/hub that the firewall is connected to) is likely 
>more
> >> secure than the two firewall option with the DMZ in the middle.
> >
Whoever put this together have not ever set-up web - sql architecture...  
Your web server should be on "DMZ".. but what do you do with SQL if it does 
not accept connections...? :)  Keep it on DMZ also?


In other words, dual firewalls are "a lot" better in many (NOT ALL) cases 
(if one uses different products).  But you do need to match products 
carefully.

AND DO PUT THAT IDS ......


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F136r0qUasw83tnJz0L000178a5>