From owner-freebsd-security Tue Nov 27 4:26:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from rfnj.org (rfnj.org [216.239.237.194]) by hub.freebsd.org (Postfix) with ESMTP id 4F25C37B405 for ; Tue, 27 Nov 2001 04:26:34 -0800 (PST) Received: from megalomaniac.biosys.net (megalomaniac.rfnj.org [216.239.237.200]) by rfnj.org (Postfix) with ESMTP id D2DFC136F3 for ; Tue, 27 Nov 2001 07:30:32 -0500 (EST) Message-Id: <5.1.0.14.0.20011127071415.00aa4a18@rfnj.org> X-Sender: asym@rfnj.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 27 Nov 2001 07:27:59 -0500 To: freebsd-security@freebsd.org From: Allen Landsidel Subject: Re: Best security topology for FreeBSD Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:40 AM 11/27/2001 -0500, you wrote: > > Now Firewall_B is open, and Firewall_A may as well be, because any packets > > that Firewall_A would have blocked can simply be tunneled through a > > connection to compromised Firewall_B. > >Yes. But a single firewall design is also vulnerable to this attack. The >same way. After reading your response from front to back.. I see we have a fundamental disagreement or misunderstanding on how to set up the single firewall system.. I'll get to it in a minute. >I say, no. They will not be accessible all-round, first because they >have host-restrictions algorithms such as host.access and second because >the firewall will block some traffic accessing illegitimate port/address >combinations. Still.. I don't follow this with regard to what you previously said. In any event, I think it's best if you lock down each machine as much as possible, and do your best not to run public-access services alongside private-access services on a single machine. If the machine is compromised, you'll suffer headaches and nausea on a greater scale than you should. ;) >I am confused here. If it is in the DMZ, it is still "in" the firewall, >no? Wether the design of the firewall is single or dual, the DMZ is >still "in" the firewall. OK here is where I think the confusion comes in. In my personal experience, if you do as I indicated above with regard to securing every box, then a "normal" configuration is not so much a three-interface firewall. You would just set up a normal two-interface firewall.. one of the ports on the firewall goes to the "black" side, which represents the hub/switch that your T1 or whatever goes into. The "red" side represents the interior of the firewalled network, after filtering. The DMZ can exist as machines plugged into the same ethernet hub/switch as the black side of the firewall... you follow? Nothing in the DMZ is firewalled, and perhaps "sacrificial host" is a more appropriate description of the machines in that area, but if you're making backups as you should, then all the machines could be considered sacrificial. ;) This ties into my point about not running services willy-nilly on the machine and doing your best to secure each and every box. If you have a webserver say, it should only be listening on port 80. If it's going to be inside the firewall you have to punch a hole allowing that traffic through, so everything there is going to hit the webserver and possibly compromise it. Thus, if you keep it on the outside of the firewall, damage to the rest of the network after the compromise will be minimal. >It's basically an implementation detail to choose a single or dual >firewall setup. I'm just saying that one does not weaken the system's >security, apart from the "false sense of security" you mentionned that >I consider solvable with proper education. :) Well there is more to it than just that. The simple fact is it opens up two points of attack, unless the outer firewall is blocking all traffic, in which case, you don't need two. Either you build two similar machines, with the same OS and firewall software, and thus identical exploits.. or you build two dissimilar machines, with perhaps a different OS and firewall, and thus different (and twice as many total) exploits. Do you follow? >So the dmz is always "within" the firewall, since the single fw design >wraps the functionality of fw1 and fw2 within itself to allow access to >the dmz: I snipped all this due to my explaination above. I see it : out | wan | switch --- dmz | fw | switch | lan >If you want to get into this... > >Could I modify the equation to say: Again.. see my own personal above description of "single" firewall design.. perhaps we weren't talking about the same thing.. I'm sure we weren't. >Hmm.. Agreed. But I still maintain this doesn't make the dual firewall >design *weaker*. Comparable with the other one, yes. See above. It can and will. >Let's not kill each other over this. ;) Hmm.. lemme think about that. Deal. ;) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message