Darren, Good point, but you could have a setup such that the CFMX server isn't allowed to make any connections to webpages or FTP sites - thus meaning an attacker can't cause it to download extra tools from somewhere. Also, perhaps you deny it from sending any mail to prevent it becoming a spam relay etc. The point is, you can easily give it a different set of rules, including having a separate public IP from your gateway. This sort of thing might not be the be-all and end-all but it would prevent a lot of automated attacks, particularly worms and such that work by compromising a machine and ordering it to establish a connection to download the executable worm.
Also it's quite hard, depending on your setup, to get FTP to go from FTP Server -> Firewall with NAT -> Internet <- Firewall with NAT <- FTP Client - well I've never got it working anyway. One of the two machines has to have a public IP. Any other comment? (this is to do with the whole separate data/command ports) It's a good question though, anyone have any really good ideas where to use a DMZ? Regards, James > -----Original Message----- > From: TRACEY, Darren [mailto:[EMAIL PROTECTED] > Sent: Monday, 5 July 2004 10:32 AM > To: CFAussie Mailing List > Subject: [cfaussie] Re: [OT] DMZ > > > Firewalls/networks aren't my forte either, but I would have > thought that not > sacrificing your CFMX box was half the battle won. > As it is, your CF box has almost full access to your database > server and any > other system its connected to. > If it gets compromised, then your attacker has the entire > processing power > of your cf server, without any traffic limitations of an internet > connection, able to be brought to bear on your firewall till > it finds a hole > or weakness, with most of that effort being directed at your > db server and > authentication system. > I was always under the impression that this was a situation > to be avoided at > all costs. > I would have thought that your server would be reasonable > safe if the only > connection it had to the world was via port 80 http requests. > I know there > are still issues with this, but its a much shorter and more > manageable list > of risks than offering up the whole server as a sacrificial lamb. > > That's my opinion, for what its worth. > I'm just curious, because what's been talked about has been a > different > approach to what I would have done, and I'm keen to know if > there are any > extra benefits in doing it that way. > > Regards > > Darren Tracey > Systems Analyst > Web Applications, Web and Integration Services > p: + 61 7 3232 4091 (x64091) > f: + 61 7 3232 4744 > e: [EMAIL PROTECTED] > l: Lvl 9, 388 Queen St Brisbane QLD 4000 > m: Suncorp IPC IT040, GPO Box 1453, Brisbane QLD 4000 > > > -----Original Message----- > > From: Scott Barnes [SMTP:[EMAIL PROTECTED] > > Sent: Monday, 5 July 2004 10:03 > > To: CFAussie Mailing List > > Subject: [cfaussie] Re: [OT] DMZ > > > > I think, and firewalls/networks aren't my forte, but i > think the reason > > for a CF box inside the DMZ is that if the actual CFMX box is > > comprimised via Code(which would open up lots of possibilities), it > > won't let you inside the actual network but simply let you > play around > > in the DMZ containment area only. > > > > I think thats the way TQ did it in that our Boxes couldn't > penetrate our > > internal network and had limited ports outbound opened? > > > > Mind you, i have no idea on this stuff, so i'll pipe down now. > > > > Scott > > > > > > > > TRACEY, Darren wrote: > > > > > Is there any amazingly compelling reason why you _must_ > have your CF box > > > actually _in_ the DMZ, and then have to poke all these > holes through > > your > > > firewall? > > > Wouldn't it be better/safer/easier to put your CF box > fully behind your > > > firewall and just open http port 80 traffic up to it from > the big bad > > > internet? > > > This way you only have one hole in your firewall and only > that one point > > of > > > weakness and you don't expose the entire webserver to > every attack the > > > internet wants to throw at it. > > > > > > Am I missing something? > > > > > > Regards > > > > > > Darren Tracey > > > Systems Analyst > > > Web Applications, Web and Integration Services > > > p: + 61 7 3232 4091 (x64091) > > > f: + 61 7 3232 4744 > > > e: [EMAIL PROTECTED] > > > l: Lvl 9, 388 Queen St Brisbane QLD 4000 > > > m: Suncorp IPC IT040, GPO Box 1453, Brisbane QLD 4000 > > > > > > > > >>-----Original Message----- > > >>From: James Macpherson > [SMTP:[EMAIL PROTECTED] > > >>Sent: Friday, 2 July 2004 18:07 > > >>To: CFAussie Mailing List > > >>Subject: [cfaussie] RE: [OT] DMZ > > >> > > >>I would certainly hope not - I could be wrong... > > >> > > >>The first thing I'd try is maybe install the client tools on the > > webserver > > >>and see if you can get to your sql server with enterprise > manager or > > query > > >>analyser from the webserver, any error message these give > might be more > > >>useful (it might be something to do with the "named pipes" or SMB > > >>mentioned in the article etc. rather than the firewall > per se)... then > > >>start looking at the firewall logs as Ryan suggested. > > >> > > >>Another hint may be to run 'netstat -na' on the database > server to see > > >>what ports it's listening on - though I'd hope you > wouldn't have to > > resort > > >>to forwarding these 1 by 1 to find out which one makes it > tick then turn > > >>them off one by one - that's just a last resort that > springs to mind. > > >> > > >>Good luck, sounds very interesting! > > >> > > >>- James > > >> > > >> -----Original Message----- > > >> From: George Lu [mailto:[EMAIL PROTECTED] > > >> Sent: Friday, 2 July 2004 5:42 PM > > >> To: CFAussie Mailing List > > >> Subject: [cfaussie] RE: [OT] DMZ > > >> > > >> > > >> Thanks James and for pointing me to the link. It's > quite useful. We > > >>are using 'sa' account and port 1433 but this just for > the testing. > > Their > > >>cases are for ASP.NET. Does it apply to ColdFusion server > as well? Would > > >>CF use other secret ports for db connection? > > >> > > >> George > > >> > > >> >>> [EMAIL PROTECTED] 2/07/04 17:15:05 >>> > > >> > > >> George, > > >> > > >> I believe you just need 1433 and that's it however you > have to be > > >>sure that on your coldfusion server you're using the > PUBLIC IP of the > > >>firewall and that this port is forwarded. Also if you're > using Windows > > >>authentication this uses other ports (RPC???) that you > don't want to be > > >>opening up at all... > > >> > > >> Oh and whilst I'm going paranoia mode; make sure your > firewall only > > >>forwards 1433 from the webserver not ANYTHING to port > 1433 - remember > > some > > >>of those fun worms that got around - and no default 'sa' passwords > > >>either!!! (I'm sure you weren't thinking of doing that but > > nonetheless...) > > >> > > >> I found this link > > >><http://www.sqlteam.com/forums/topic.asp?TOPIC_ID=35718> > which sounds a > > >>lot like what you're trying to do which mentions named > pipes etc. which > > >>may affect your specific setup. > > >> > > >> Regards, > > >> > > >> James > > >> > > >> -----Original Message----- > > >> From: George Lu [mailto:[EMAIL PROTECTED] > > >> Sent: Friday, 2 July 2004 4:43 PM > > >> To: CFAussie Mailing List > > >> Subject: [cfaussie] RE: [OT] DMZ > > >> > > >> > > >> > > >> Thanks. That's what we are doing now. What I > want to know is > > >>what ports need to be open. > > >> > > >> George > > >> > > >> >>> [EMAIL PROTECTED] 2/07/04 > 16:37:13 >>> > > >> > > >> Hi George, > > >> > > >> I'm tempted to guess that your DMZ has public > IPs, whilst > > >>your LAN has got private ones, in which case you will > need to forward > > the > > >>database ports of your LAN gateway to the private IP > database server? > > >>This kind of set up could be quite complicated, > especially if you've > > never > > >>messed with firewalls and such before. > > >> > > >> Regards, > > >> > > >> J > > >> > > >> -----Original Message----- > > >> From: George Lu [mailto:[EMAIL PROTECTED] > > >> Sent: Friday, 2 July 2004 4:07 PM > > >> To: CFAussie Mailing List > > >> Subject: [cfaussie] [OT] DMZ > > >> > > >> > > >> Hi All, > > >> > > >> We're going to set up an extranet > environment. One > > >>option is to place our ColdFusion server under DMZ > (DeMilitarize Zone) > > and > > >>the database server on the LAN. We try to test the > connection between > > the > > >>CF server and the db server without open UDP and most of > TCP/IP ports. > > >>However, the connection always fail no matter how many > tcp/ip ports > > open. > > >>I've tried to put 1839 or 1433 in the Data Source > setting. Does anyone > > >>have similar situation? Could someone give me an idea > what's happening? > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> Here was the error message when I tried > to verified > > >>the data source: > > >> > > >> Connection verification failed for data source: > > >>Intranet > > >> []java.sql.SQLException: > [Macromedia][SQLServer JDBC > > >>Driver]The requested instance is either invalid or not running. > > >> The root cause was that: java.sql.SQLException: > > >>[Macromedia][SQLServer JDBC Driver]The requested instance > is either > > >>invalid or not running. > > >> > > >> > > >> > > >> Thank you in advanced. > > >> > > >> George > > >> > > >> George Lu > > >> Web Developer/Engineer > > >> Information Systems and Technology > > >> Adult Multicultural Education Services > > >> 4/255 William Street > > >> Melbourne, Vic 3000 > > >> ------------------------------------------ > > >> Direct: 03 9926 4706 > > >> Fax: 03 9926 4695 > > >> Email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > >> Web: www.ames.net.au <http://www.ames.net.au> > > >> ------------------------------------------ > > >> > > >> --- > > >> You are currently subscribed to cfaussie as: > > >>[EMAIL PROTECTED] > > >> To unsubscribe send a blank email to > > >>[EMAIL PROTECTED] Aussie > Macromedia Developers: > > >>http://lists.daemon.com.au/ > > >> > > >> AMES (Adult Multicultural Education Services) > > >> www.ames.net.au > > >> > > >> > > >> Disclaimer > > >> > > > >>************************************************************ > ********** > > >> This email and any attachments may be > confidential. > > >> If received in error, please contact us > and delete > > >>all copies. > > >> Before opening or using attachments you > should check > > >>them for viruses > > >> or defects. > > >> Regardless of any loss, damage or consequence, > > >>whether caused by the > > >> negligence of the sender or not, > resulting directly > > >>or indirectly from > > >> the use of any attached files our liability is > > >>limited to resupplying > > >> any affected attachments. > > >> Any representations or opinions > expressed are those > > >>of the individual > > >> sender, and not necessarily those of Adult > > >>Multicultural Education > > >> Services (AMES). > > >> > > >> > > > >>************************************************************ > ********** > > >> --- > > >> You are currently subscribed to cfaussie as: > > >>[EMAIL PROTECTED] > > >> To unsubscribe send a blank email to > > >>[EMAIL PROTECTED] Aussie > Macromedia Developers: > > >>http://lists.daemon.com.au/ > > >> > > >> --- > > >> You are currently subscribed to cfaussie as: > [EMAIL PROTECTED] > > >> To unsubscribe send a blank email to > > >>[EMAIL PROTECTED] Aussie > Macromedia Developers: > > >>http://lists.daemon.com.au/ > > >> --- > > >> You are currently subscribed to cfaussie as: > > >>[EMAIL PROTECTED] > > >> To unsubscribe send a blank email to > > >>[EMAIL PROTECTED] Aussie > Macromedia Developers: > > >>http://lists.daemon.com.au/ > > >> > > >> AMES (Adult Multicultural Education Services) > > >> www.ames.net.au > > >> > > >> > > >> Disclaimer > > >> > > > >>************************************************************ > ********** > > >> This email and any attachments may be confidential. > > >> If received in error, please contact us and delete all > > >>copies. > > >> Before opening or using attachments you should > check them > > >>for viruses > > >> or defects. > > >> Regardless of any loss, damage or consequence, whether > > >>caused by the > > >> negligence of the sender or not, resulting directly or > > >>indirectly from > > >> the use of any attached files our liability is > limited to > > >>resupplying > > >> any affected attachments. > > >> Any representations or opinions expressed are > those of the > > >>individual > > >> sender, and not necessarily those of Adult Multicultural > > >>Education > > >> Services (AMES). > > >> > > >> > > > >>************************************************************ > ********** > > >> --- > > >> You are currently subscribed to cfaussie as: > > >>[EMAIL PROTECTED] > > >> To unsubscribe send a blank email to > > >>[EMAIL PROTECTED] Aussie > Macromedia Developers: > > >>http://lists.daemon.com.au/ > > >> > > >> --- > > >> You are currently subscribed to cfaussie as: [EMAIL PROTECTED] > > >> To unsubscribe send a blank email to > > >>[EMAIL PROTECTED] Aussie > Macromedia Developers: > > >>http://lists.daemon.com.au/ > > >> --- > > >> You are currently subscribed to cfaussie as: > > >>[EMAIL PROTECTED] > > >> To unsubscribe send a blank email to > > >>[EMAIL PROTECTED] Aussie > Macromedia Developers: > > >>http://lists.daemon.com.au/ > > >> > > >> AMES (Adult Multicultural Education Services) > > >> www.ames.net.au > > >> > > >> > > >> Disclaimer > > >> > > > >>************************************************************ > ********** > > >> This email and any attachments may be confidential. > > >> If received in error, please contact us and delete all copies. > > >> Before opening or using attachments you should check them for > > >>viruses > > >> or defects. > > >> Regardless of any loss, damage or consequence, whether > caused by the > > >> > > >> negligence of the sender or not, resulting directly or > indirectly > > >>from > > >> the use of any attached files our liability is limited to > > >>resupplying > > >> any affected attachments. > > >> Any representations or opinions expressed are those of the > > >>individual > > >> sender, and not necessarily those of Adult > Multicultural Education > > >> Services (AMES). > > >> > > >> > > > >>************************************************************ > ********** > > >> --- > > >> You are currently subscribed to cfaussie as: > > >>[EMAIL PROTECTED] > > >> To unsubscribe send a blank email to > > >>[EMAIL PROTECTED] Aussie > Macromedia Developers: > > >>http://lists.daemon.com.au/ > > >> > > >>--- > > >>You are currently subscribed to cfaussie as: [EMAIL PROTECTED] > > >>To unsubscribe send a blank email to > > >>[EMAIL PROTECTED] Aussie > Macromedia Developers: > > >>http://lists.daemon.com.au/ > > > > > > > > > > > > > > > -------------------------------------------------------------- > ------------ > > --------- > > > This e-mail is sent by Suncorp-Metway Limited ABN 66 010 > 831 722 or one > > of its related entities ("Suncorp"). > > > > > > Suncorp may be contacted at Level 18, 36 Wickham Terrace, > Brisbane or on > > 1800 689 762 or at suncorp.com.au. > > > > > > The content of this e-mail is the view of the sender or > stated author > > and does not necessarily reflect the view of Suncorp. The content, > > including attachments, is a confidential communication > between Suncorp and > > the intended recipient. If you are not the intended > recipient, any use, > > interference with, disclosure or copying of this e-mail, including > > attachments, is unauthorised and expressly prohibited. If you have > > received this e-mail in error please contact the sender > immediately and > > delete the e-mail and any attachments from your system. > > > > > > If this e-mail constitutes a commercial message of a type > that you no > > longer wish to receive please reply to this e-mail by > typing Unsubscribe > > in the subject line. > > > > > > > > > > > > > --- > > You are currently subscribed to cfaussie as: [EMAIL PROTECTED] > > To unsubscribe send a blank email to > > [EMAIL PROTECTED] > > Aussie Macromedia Developers: http://lists.daemon.com.au/ > > --- > You are currently subscribed to cfaussie as: > [EMAIL PROTECTED] > To unsubscribe send a blank email to > [EMAIL PROTECTED] > Aussie Macromedia Developers: http://lists.daemon.com.au/ > --- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Aussie Macromedia Developers: http://lists.daemon.com.au/
