On Fri, 9 May 2003, Jamin W. Collins wrote: > If a service being provided has a flaw in it that is exploitable, your > network is vulnerable either way. It's just a question of how > vulnerable. The only containment that would really work is constructing > a DMZ, not simply moving the service being provided to another box.
A DMZ is always a good idea... > > To further extend this, in theory, if you trust your firewall, then > > you can run vulnerable services behind it and not have to worry so > > much (I run test servers and so forth at home behind a firewal, yet I > > implicitly trust my firewall to block access to it from the Internet, > > so I feel - relatively - safe). > > This is only true if you don't provide access to these service through > something such as port-forwarding. In such cases running the service on > the firewall is no different. Sure it's still frown upon, but lack of Running the service on another machine *is* different, because breaking the service doesn't give the attacker the ability to remove whatever protections the firewall has in place - for instance, the attacker can't fire up a proxy on another port and start running spam and DoS attacks through it, because your firewall will[1] be denying connections to all ports on the protected machines except those it knows it should be allowing. If you're port forwarding, then unknown ports just bounce off your firewall's closed ports. It comes down to what you're looking to protect in the main - your machines, or your reputation on the internet. If it's your machines, then cut your internet cable, because allowing any service is a potential in on (at least) that machine. Segregating every externally-accessible machine into it's own little DMZ will control the damage, but not eliminate it. -- ----------------------------------------------------------------------- #include <disclaimer.h> Matthew Palmer, Geek In Residence http://ieee.uow.edu.au/~mjp16
