From owner-freebsd-security Tue Nov 27 6:31:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f136.law3.hotmail.com [209.185.241.136]) by hub.freebsd.org (Postfix) with ESMTP id 1E88037B405 for ; Tue, 27 Nov 2001 06:31:39 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 27 Nov 2001 06:31:39 -0800 Received: from 170.253.164.1 by lw3fd.law3.hotmail.msn.com with HTTP; Tue, 27 Nov 2001 14:31:38 GMT X-Originating-IP: [170.253.164.1] From: "WebSec WebSec" To: freebsd-security@FreeBSD.ORG Subject: Re: Best security topology for FreeBSD Date: Tue, 27 Nov 2001 14:31:38 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 27 Nov 2001 14:31:39.0031 (UTC) FILETIME=[39961270:01C17750] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org See below ####################################################################### To: all@biosys.net cc: freebsd-security@FreeBSD.ORG Date: 11/27/2001 12:40 AM From: owner-freebsd-security@FreeBSD.ORG Subject: Re: Best security topology for FreeBSD >Imagine : You have Firewall_A letting packet X through. Firewall_B is also >letting packet X through, because X matches the rules on both that say the >packet is safe. Uh-oh, X was actually a malicious packet that (pardon a >contrived example) crashes Firewall_B after running some code that it >inserted before smashing the stack. > Can someone show me an example of "a packet" that can execute arbitrary code on a firewall that only does filtering... :) Clearly, either I am too far behind or someone is too far ahead.... If you are implying a compromise of a proxy server, this same proxy should not be moving "outbound" traffic and the filtering firewall should be configured as such. This would prevent someone getting a shell access, at least immediately. Note that you created "one" more hop and, therefore, have extra time for your IDS to detect the attack. Mission accomplished! In case you have a single firewall..... you did not get that extra time. To make it even more interesting, a "triple" firewall set-up help to mitigate many of the risk. IT is, however, an overkill in many-many-many cases except where security really matters. :) Now, a quad system will probably not be practical or at least I have not seen a situation where it would be practical :) >>Yes. But a single firewall design is also vulnerable to this attack. >>The >>same way. No it is not if it is properly configured and is not doing proxying... > >> Consider this, however: The DMZ is used to contain normally "insecure" > >> services such as web, ftp and mail servers. The area past the > >firewall(s) > >> would ideally contain machines to which no incoming connections are > >allowed > >> to be initiated. The flip side of this is that the machines furthest >to > >> the inside are those that are most often operated by unclued users who > >are > >> historically very good at running trojans, viruses, and other malicious > >> code on their machines without proper investigation. In any event, the > >> first configuration, with the DMZ hanging off the firewall (or more > >likely, > >> off the same switch/hub that the firewall is connected to) is likely >more > >> secure than the two firewall option with the DMZ in the middle. > > Whoever put this together have not ever set-up web - sql architecture... Your web server should be on "DMZ".. but what do you do with SQL if it does not accept connections...? :) Keep it on DMZ also? In other words, dual firewalls are "a lot" better in many (NOT ALL) cases (if one uses different products). But you do need to match products carefully. AND DO PUT THAT IDS ...... _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message