Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 28 Nov 2001 13:05:01 -0500
From:      Allen Landsidel <all@biosys.net>
To:        freebsd-security@freebsd.org
Subject:   Re: Best security topology for FreeBSD
Message-ID:  <5.1.0.14.0.20011128124756.00a9d9e8@rfnj.org>
In-Reply-To: <F140NsokLQ8aZRhQdOg00016fa1@hotmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
At 03:48 PM 11/28/2001 +0000, you wrote:


>Your phrase is equivalent to saying something like this: If you have not 
>heard about GMC SUBURBAN ( A really big car) transporting 700 people 
>cross-Atlantic - it does not mean it cannot be done.  I agree that things 
>are a bit more complicated in our world but com'mn... show me how you 
>would approach executing a stack on any non-trojaned packet filtering 
>device... at least in theory... I thought you couldn't :)

Again.. you miss the point.  I'm not suprised.  Imagine you have a crummy 
stack that just looks at the length header of the packet when getting the 
packet, then pushes the actual packet size onto the stack.  Which one is 
larger or smaller doesn't matter, you've just flubbed the machine and a 
smash is inevitable on the return from the call.  There are other ways of 
doing this as well, and as most smashes go, they all involve specially 
constructed packets that are invalid.

I thought I could!

Why were you yelling at me by the way?  No need for caps there cowboy.


>This is just silly....   I hope you understand what it means to not allow 
>outbound connections.  IT would take time to poke around and figure out 
>how and what to do on a machine that does not produce an output.  Most 
>likely the machine will crash....soon... And your "IDS" as in " monitoring 
>- analysis - incidence response on network and host levels" not as in " a 
>product" WILL TELL YOU ABOUT.  THIS IS TIME.  Clearly, you are not sure 
>what you are saying here.

I certainly know what I'm saying.. I have no idea however what you were 
just saying.  I couldn't make any sense of this paragraph.


>IN YOUR SINGLE FIREWALL DESIGN - IF A FIREWALL IS COMPROMISED YOUR ENTIRE 
>SECURITY MODEL IS BLOWN OUT OF THE WATER!

Yep.  In a two firewall design, the same is true.  Designing a security 
"gray area" into your network is lame.


>THE EXTRA TIME IS THE KEY SECURITY CONCEPT.  IF YOU HAVE UNLIMITED TIME - 
>YOU CAN GET TO ANYTHING... WELL ALMOST :)  Ever wondered why "Important" 
>Banks and other installations are not to far from police stations?  Your 
>phrase that time is not important  goes beyond technical incompetence 
>right into security ignorance.  No offense.

I didn't say time is meaningless, I said your "extra time" is 
meaningless.  As for your other argument.. is that also the reason that 
everything around the bank is where it is.. like the laundromat? For that 
heightened security?  Maybe it's more likely that the bank was built where 
land was cheap, and the same goes for the police station.


>Well actually "ass" is not a very professional term - I would personally 
>try to avoid it on the Net - but yes a TCP WRAPPER is a firewall and it is 
>recommended to use the as much as possible... More so, IPSec is a firewall 
>"concept" because it "authenticates" source and, again, it is recommended.

TCP Wrapper is not a firewall, it's a logging and analysis tool.  IPSec is 
not a firewall either, it's an encryption and authentication 
system.  Neither one has anything to do with firewalls.


>Agreed - but we are talking about a firewall compromise here :)  This is 
>where time and 3-tripple firewall architecture and IDS process comes to 
>play... Hope you see this now.

I agree with using an IDS, or as many of them as you can if you're 
paranoid.  I still don't agree with your "extra time" concept because you 
never covered the basic fact that if the firewalls are the same or similar, 
you'll probably have all of about 15 seconds before the second one 
falls.  Chances are you won't even know it happened until it's too 
late.  Rare is the case where a firewall is compromised and someone 
immediately catches on before any damage is done to other systems.


>I am not against the previous definition of a single firewall with three
>interfaces; one for outside, one for inside, and one for the dmz.. but it's
>usually not required.

If it's not required, then by definition, the two firewall design is not 
required either.  They're the same thing functionally, only requiring less 
hardware.

Please fix your mail quoting if you continue to reply.. you had everything 
all jumbled this time.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20011128124756.00a9d9e8>