On Tue, Jul 24, 2001 at 10:50:28AM -0700, Cory Petkovsek wrote:
>
> In this situation, the most likely way your network is cracked is through the
>webserver or another service. Now the webserver is cracked, and we find ourselves in
>a DMZ or some portion of a network:
>
> fw: web (we are here): mail:
> 22 ssh 80 25
> 53 domain 110
> 2049 nfs
>
> Now we have more access to the firewall.
>
> The point of the point:
> There aren't likely any services running on the firewall open to the internet,
>except perhaps ssh. Therefore, I claim a network is more likely to become cracked
>through a forwarded port, behind the (or a) firewall. So the firewall shouldn't
>trust it's network anymore than the internet, or more than necessary.
> >
> > In other words, (some of) your internal network should be able to
^^^^^^^
> > connect
> > to your firewall
Did you not read this? It's also better to set up your f/w to not
allow any internet address to connect for ssh, since you probably
have some idea about what IP you will be connecting from. Access to
sshd should be as limited as possible. Your DMZ should not be able
to connect to anything on a secure network, and there's no need for
anything there to connect to the f/w. If I'm not mistaken, that's
the point of a DMZ.
Similarly, access to the f/w should be limited to one machine on
the secure network, the admin's box.
You know, some people even set up an "invisible" f/w, that has no IP,
and therefore cannot be connected to at all.
Granted, this doesn't work in every situation, there are as many different
network topologies as people, maybe even more ;)
I was thinking more of the home user, who probably isn't forwarding
connections.
My point is that you should not trust a machine that is open to internet
traffic, to connect to a secure network. Some may call that "paranoid",
I call it practical.
> > , but your firewall should not be able to connect to
> > anything on your internal network.
So even if they do get to ssh into the f/w from the DMZ, (which I
suggest disallowing, through both packet filtering and ssh configuration)
they still cannot attack your secure network.
<[EMAIL PROTECTED]>
