Date: Wed, 28 Nov 2001 13:05:01 -0500 From: Allen Landsidel <all@biosys.net> To: freebsd-security@freebsd.org Subject: Re: Best security topology for FreeBSD Message-ID: <5.1.0.14.0.20011128124756.00a9d9e8@rfnj.org> In-Reply-To: <F140NsokLQ8aZRhQdOg00016fa1@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 03:48 PM 11/28/2001 +0000, you wrote: >Your phrase is equivalent to saying something like this: If you have not >heard about GMC SUBURBAN ( A really big car) transporting 700 people >cross-Atlantic - it does not mean it cannot be done. I agree that things >are a bit more complicated in our world but com'mn... show me how you >would approach executing a stack on any non-trojaned packet filtering >device... at least in theory... I thought you couldn't :) Again.. you miss the point. I'm not suprised. Imagine you have a crummy stack that just looks at the length header of the packet when getting the packet, then pushes the actual packet size onto the stack. Which one is larger or smaller doesn't matter, you've just flubbed the machine and a smash is inevitable on the return from the call. There are other ways of doing this as well, and as most smashes go, they all involve specially constructed packets that are invalid. I thought I could! Why were you yelling at me by the way? No need for caps there cowboy. >This is just silly.... I hope you understand what it means to not allow >outbound connections. IT would take time to poke around and figure out >how and what to do on a machine that does not produce an output. Most >likely the machine will crash....soon... And your "IDS" as in " monitoring >- analysis - incidence response on network and host levels" not as in " a >product" WILL TELL YOU ABOUT. THIS IS TIME. Clearly, you are not sure >what you are saying here. I certainly know what I'm saying.. I have no idea however what you were just saying. I couldn't make any sense of this paragraph. >IN YOUR SINGLE FIREWALL DESIGN - IF A FIREWALL IS COMPROMISED YOUR ENTIRE >SECURITY MODEL IS BLOWN OUT OF THE WATER! Yep. In a two firewall design, the same is true. Designing a security "gray area" into your network is lame. >THE EXTRA TIME IS THE KEY SECURITY CONCEPT. IF YOU HAVE UNLIMITED TIME - >YOU CAN GET TO ANYTHING... WELL ALMOST :) Ever wondered why "Important" >Banks and other installations are not to far from police stations? Your >phrase that time is not important goes beyond technical incompetence >right into security ignorance. No offense. I didn't say time is meaningless, I said your "extra time" is meaningless. As for your other argument.. is that also the reason that everything around the bank is where it is.. like the laundromat? For that heightened security? Maybe it's more likely that the bank was built where land was cheap, and the same goes for the police station. >Well actually "ass" is not a very professional term - I would personally >try to avoid it on the Net - but yes a TCP WRAPPER is a firewall and it is >recommended to use the as much as possible... More so, IPSec is a firewall >"concept" because it "authenticates" source and, again, it is recommended. TCP Wrapper is not a firewall, it's a logging and analysis tool. IPSec is not a firewall either, it's an encryption and authentication system. Neither one has anything to do with firewalls. >Agreed - but we are talking about a firewall compromise here :) This is >where time and 3-tripple firewall architecture and IDS process comes to >play... Hope you see this now. I agree with using an IDS, or as many of them as you can if you're paranoid. I still don't agree with your "extra time" concept because you never covered the basic fact that if the firewalls are the same or similar, you'll probably have all of about 15 seconds before the second one falls. Chances are you won't even know it happened until it's too late. Rare is the case where a firewall is compromised and someone immediately catches on before any damage is done to other systems. >I am not against the previous definition of a single firewall with three >interfaces; one for outside, one for inside, and one for the dmz.. but it's >usually not required. If it's not required, then by definition, the two firewall design is not required either. They're the same thing functionally, only requiring less hardware. Please fix your mail quoting if you continue to reply.. you had everything all jumbled this time. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20011128124756.00a9d9e8>