Date: Tue, 27 Nov 2001 07:27:59 -0500 From: Allen Landsidel <all@biosys.net> To: freebsd-security@freebsd.org Subject: Re: Best security topology for FreeBSD Message-ID: <5.1.0.14.0.20011127071415.00aa4a18@rfnj.org>
next in thread | raw e-mail | index | archive | help
At 12:40 AM 11/27/2001 -0500, you wrote:
> > Now Firewall_B is open, and Firewall_A may as well be, because any packets
> > that Firewall_A would have blocked can simply be tunneled through a
> > connection to compromised Firewall_B.
>
>Yes. But a single firewall design is also vulnerable to this attack. The
>same way.
After reading your response from front to back.. I see we have a
fundamental disagreement or misunderstanding on how to set up the single
firewall system.. I'll get to it in a minute.
>I say, no. They will not be accessible all-round, first because they
>have host-restrictions algorithms such as host.access and second because
>the firewall will block some traffic accessing illegitimate port/address
>combinations.
Still.. I don't follow this with regard to what you previously said. In
any event, I think it's best if you lock down each machine as much as
possible, and do your best not to run public-access services alongside
private-access services on a single machine. If the machine is
compromised, you'll suffer headaches and nausea on a greater scale than you
should. ;)
>I am confused here. If it is in the DMZ, it is still "in" the firewall,
>no? Wether the design of the firewall is single or dual, the DMZ is
>still "in" the firewall.
OK here is where I think the confusion comes in.
In my personal experience, if you do as I indicated above with regard to
securing every box, then a "normal" configuration is not so much a
three-interface firewall.
You would just set up a normal two-interface firewall.. one of the ports on
the firewall goes to the "black" side, which represents the hub/switch that
your T1 or whatever goes into. The "red" side represents the interior of
the firewalled network, after filtering.
The DMZ can exist as machines plugged into the same ethernet hub/switch as
the black side of the firewall... you follow? Nothing in the DMZ is
firewalled, and perhaps "sacrificial host" is a more appropriate
description of the machines in that area, but if you're making backups as
you should, then all the machines could be considered sacrificial. ;)
This ties into my point about not running services willy-nilly on the
machine and doing your best to secure each and every box. If you have a
webserver say, it should only be listening on port 80. If it's going to be
inside the firewall you have to punch a hole allowing that traffic through,
so everything there is going to hit the webserver and possibly compromise
it. Thus, if you keep it on the outside of the firewall, damage to the
rest of the network after the compromise will be minimal.
>It's basically an implementation detail to choose a single or dual
>firewall setup. I'm just saying that one does not weaken the system's
>security, apart from the "false sense of security" you mentionned that
>I consider solvable with proper education. :)
Well there is more to it than just that. The simple fact is it opens up
two points of attack, unless the outer firewall is blocking all traffic, in
which case, you don't need two.
Either you build two similar machines, with the same OS and firewall
software, and thus identical exploits.. or you build two dissimilar
machines, with perhaps a different OS and firewall, and thus different (and
twice as many total) exploits. Do you follow?
>So the dmz is always "within" the firewall, since the single fw design
>wraps the functionality of fw1 and fw2 within itself to allow access to
>the dmz:
I snipped all this due to my explaination above. I see it :
out
|
wan
|
switch --- dmz
|
fw
|
switch
|
lan
>If you want to get into this...
>
>Could I modify the equation to say:
Again.. see my own personal above description of "single" firewall design..
perhaps we weren't talking about the same thing.. I'm sure we weren't.
>Hmm.. Agreed. But I still maintain this doesn't make the dual firewall
>design *weaker*. Comparable with the other one, yes.
See above. It can and will.
>Let's not kill each other over this. ;)
Hmm.. lemme think about that.
Deal. ;)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20011127071415.00aa4a18>