From owner-freebsd-security Mon Nov 26 15: 6: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from rfnj.org (rfnj.org [216.239.237.194]) by hub.freebsd.org (Postfix) with ESMTP id 3483F37B419 for ; Mon, 26 Nov 2001 15:05:52 -0800 (PST) Received: from megalomaniac.biosys.net (megalomaniac.rfnj.org [216.239.237.200]) by rfnj.org (Postfix) with ESMTP id 7F622136F3 for ; Mon, 26 Nov 2001 18:09:54 -0500 (EST) Message-Id: <5.1.0.14.0.20011126175234.00aeb5e8@rfnj.org> X-Sender: asym@rfnj.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 26 Nov 2001 18:07:21 -0500 To: freebsd-security@freebsd.org From: Allen Landsidel Subject: Re: Best security topology for FreeBSD In-Reply-To: <20011124224858.B228@gohan.cjclark.org> References: <200111231250.fANCoha19105@cwsys.cwsent.com> <20011122031739.A226@gohan.cjclark.org> <200111231250.fANCoha19105@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Defense in depth. Examples: A glitch/security breach in Firewall1's >ruleset/software does not necesarily expose the internal network. >Any vulnerabilities in Firewall2 are harder to exploit when protected >by Firewall1. I have to say.. I've been biting my tongue on this topic, but I feel like speaking up now. The above paragraph is well and good for actual firewalls (like you find in vehicles) and actual DMZ's (like you find in a warzone) because depth means that many more layers of opposing force you have to fight your way through. It seems pretty meaningless however when applied to a network.(*) Chances are if an attacker can compromise "Firewall1" then they can use an identical exploit/hole/vulnerability to exploit "Firewall2." In war, there are such exploits, and they're called bullets. They are not however, magic bullets, that always hit their targets and disable them in such a way that they immdiately talk when captured. In the IT definition, they are exactly that. It would be best if we just stick to the terminology as it's been adopted, but try and not carry the metaphor too far.. it just falls down. The only case where the second example may prove more secure in protecting the inside network is if the machines in the DMZ are the ones compromised, and not the firewalls themselves. Consider this, however: The DMZ is used to contain normally "insecure" services such as web, ftp and mail servers. The area past the firewall(s) would ideally contain machines to which no incoming connections are allowed to be initiated. The flip side of this is that the machines furthest to the inside are those that are most often operated by unclued users who are historically very good at running trojans, viruses, and other malicious code on their machines without proper investigation. In any event, the first configuration, with the DMZ hanging off the firewall (or more likely, off the same switch/hub that the firewall is connected to) is likely more secure than the two firewall option with the DMZ in the middle. If you run your DMZ servers with only things listening on the port that you configured to listen on the port, and there are vulnerabilities in said servers, then they will be accessible no matter which side of the firewall(s) the server is on; If not, what's the point in the service? So, the question is, would you rather have a machine compromised inside one of your firewalls, or outside of it? Personally, I'd rather have it on the outside, where the chances of a compromise affecting the security of the other machines in the DMZ is negligible, and the chance of compromising the security of machines inside the firewall is no higher than it was before the attack took place. (*) I'm assuming that while the configuration may be different, the firewalls are virtually identical when it comes to the OS and Firewall itself; The same vulnerability is more than likely to exist in both, if it exists in either. If you have two different firewalls, not only in name and configuration but in OS and firewall software (ipfw/ipf/whatever) as well, then You've got a 50/50 chance of either strengthening or weaking the net security to the inside of both. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message