On Sat, May 10, 2003 at 03:23:13PM +1000, Matthew Palmer wrote: > On Fri, 9 May 2003, Jamin W. Collins wrote: > > Imagine, for example, that in order for the attacker to get in, they > need to crash apache in some way. Somebody's likely to notice that > sort of thing. Without a firewall (or with a firewall the attacker > can fux0r with) they can punch a hole, install a backdoor, and then > restart apache. Downtime? A couple of minutes. But you're > thoroughly r00ted, because s/h/it can get back in any time they like > from now on, with you being none the wiser. > > With a real firewall in place, to get in to your machine to do any > damage, they've got to crash apache each time and get in that way. > "Somebody's gonna notice..."
No, they don't. All they have to do is install a proxy that will connect out rather than wait for a connection in. In most non-DMZ scenarios this will bypass the firewall as it's an outbound connection from an allowed source. > If you're attacking my arguments to make a DMZ look more acceptable, > don't bother. I'm not, I simply don't agree that there's a significant difference between services running on a firewall machine and services running on systems behind the firewall but not in a DMZ. > I know DMZs are a good thing, and for anyone watching this at home: If > you can possibly wangle it, put all externally accessible machines in > a DMZ which is totally untrusted by everything else. Treat your > external servers as though they were already cracked. Agreed. > All I'm saying is that servers on the regular internal network, > secured by a serviceless firewall, are still better than externally > accessible services on the firewall itself. I hope you'll agree with > that. I still disagree. -- Jamin W. Collins Remember, root always has a loaded gun. Don't run around with it unless you absolutely need it. -- Vineet Kumar
