Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 26 Nov 2001 23:38:01 -0500
From:      Allen Landsidel <all@biosys.net>
To:        freebsd-security@freebsd.org
Subject:   Re: Best security topology for FreeBSD 
Message-ID:  <5.1.0.14.0.20011126232315.00a8fce0@rfnj.org>

next in thread | raw e-mail | index | archive | help
At 06:58 PM 11/26/2001 -0500, The Anarcat wrote:


>No. You have a 50/50 chance of strengthening you network. I don't think
>you can *weaken* (sp?) it since the machine are placed in serie, not in

Spelling is correct, conclusion incorrect.

Imagine : You have Firewall_A letting packet X through.  Firewall_B is also 
letting packet X through, because X matches the rules on both that say the 
packet is safe.  Uh-oh, X was actually a malicious packet that (pardon a 
contrived example) crashes Firewall_B after running some code that it 
inserted before smashing the stack.

Now Firewall_B is open, and Firewall_A may as well be, because any packets 
that Firewall_A would have blocked can simply be tunneled through a 
connection to compromised Firewall_B.


>So we here have a case where the network is actually strenghten and no
>case where it is weaker.

--snip--

No reply here.  Read above.


> > Consider this, however: The DMZ is used to contain normally "insecure"
> > services such as web, ftp and mail servers.  The area past the firewall(s)
> > would ideally contain machines to which no incoming connections are 
> allowed
> > to be initiated.  The flip side of this is that the machines furthest to
> > the inside are those that are most often operated by unclued users who are
> > historically very good at running trojans, viruses, and other malicious
> > code on their machines without proper investigation.  In any event, the
> > first configuration, with the DMZ hanging off the firewall (or more 
> likely,
> > off the same switch/hub that the firewall is connected to) is likely more
> > secure than the two firewall option with the DMZ in the middle.
>
>Why?

Because traffic will be exposed that normally wouldn't be; In a one 
firewall suggestion with the DMZ being just some ethernet ports hanging off 
the same device that the firewall plugs into, you'll be forced to assume 
that everything going on outside the firewall is fair game for sniffing, 
spoofing, whatever.  A two machine system gives you a false sense of 
security inside the DMZ.


>Not. Some services are internal, some are external. And the firewall
>should control that, not the server.

So your answer is to leave every insecure piece of junk server listening on 
all the machines, and just block them with the firewall.  Pardon me while I 
fire you.


> > So,
> > the question is, would you rather have a machine compromised inside one of
> > your firewalls, or outside of it?
>
>Er... You're going to put this machine where then? Outside your
>firewall? I'm not following you.

Now I'm not following you.. put what machine?  The compromised 
machine?  Assuming one does get compromised, would you rather have it :
   A) Inside one of your firewalls you thought was secure.
      or
   B) Outside your firewall, where even if it -is- compromised, the 
security of the interior is not breached along with it.


> > Personally, I'd rather have it on the
> > outside, where the chances of a compromise affecting the security of the
> > other machines in the DMZ is negligible, and the chance of compromising 
> the
> > security of machines inside the firewall is no higher than it was before
> > the attack took place.
>
>You'll have to define your "firewall"'s definition, I guess, because it
>is imprecise. Wether you have the single or dual configuration, you
>always have the machine "inside the firewall"...

No, in the single-firewall method there is only one firewall, and all the 
untrusted servers hang off the DMZ on the outside.


>Having a dual firewall setup is easier to setup, IMHO. Another advantage I
>see: if a machine is broke or DOS'd, you pull the plug and cut off only
>a *part* of the services. In other words, you don't have performances
>penalties for oustide and inside services. :)

I don't follow this logic at all.  Let N = Number of machines you currently 
have, and W = Work required to set up and maintain.  your network; L = 
Labor required to set up just one machine.  Most of us know pretty much 
that W = N * L.  Are you saying that with N + 1, W is suddenly not only 
less than (2 * N * L), but also less than the original N * L?

The "performance penalties" part of it was utter gibberish to me.


>The 2 firewalls are still independant services and an attack that
>affects the first one *might* affect the second one, but not necessarly.
>And in order to do this, it must get to it in the first place, which
>means breaking into it. If you have a single firewall, it can be DOS
>attacked and the 2 functionalities (services) are affected.

You missed the point.  Say you do (what most people will do when setting up 
this configuration) is buy two identical machines, install the identical OS 
onto them, and set up identical services.. minimal as they may be for a 
firewall.  At this point, the differences enter, entirely in the firewall 
rulesets.

If someone can compromise the first firewall through some bug or 
vulnerability, chances are near 100% that they can compromise the second 
one the exact same way.  How would the packets reach the second one you 
say?  Well.. um.. they've already circumvented the first one, so what's 
stopping them?



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20011126232315.00a8fce0>