Frederick M Avolio wrote:
>
> At 06:41 PM 11/23/99 +0000, Gavin Kerr wrote:
>
> > Let's be a bit more specific.
> >
> > An Application gateway makes your network more vulnerable to *some*
> > kinds of attack, and a packet filter makes your network more
> > vulnerable
> > to *some* kinds of attack (Each compared to the other).
> >
>
> If you are saying that there are some attacks for which an application
> gateway leaves you vulnerable that a packet filter doesn't... well
> maybe I am tired (leaving myself a not-so-graceful out), but I don't
> think so. Maybe it is semantics. Would you be specific?
Surely.
An application proxy (Bastion host) is generally more susceptible to a
direct attack. It is running services etc and, therefore, has bugs that
can be exploited.
A packet filter (as was said before) allows a person to connect directly
to a machine inside your network.
So they are both "vulnerable" to different kinds of attack. In the case
of the proxy host, to a direct attack, and in the case of a packet
filter, to an attack on your actual systems.
> > The old fashioned "Make 'em go for someone easier..."
> >
>
> Of course. I assume by "old fashioned" you mean "tried and true." As
> most of the attacks on the Internet are replays of old fashioned
> attacks, and as "make 'em go for someone easier" still works well for
> many, it makes sense to me.
>
> > The major difference between bastion host and packet filter is to do
> > with network design. I like packet filters and a DMZ because it
> > makes
> > *my* current network design "fit" easier. We have hosts we want the
> > net
> > to have access to, and it's simply easier for me to use a DMZ, and
> > rebuild the box if/when it gets trashed.
> >
>
> I like a packet filter on the outside and a stronger, less permissive
> firewall on the inside, with a DMZ with hardened servers in between.
> But "rebuild the bos if/when it gets trashed" is somewhat chilling, or
> should be to some. A trashed system? Loss of revenue, reputation,
> stock value, customers, and -- in some places and depending on what
> the trashed system was used for -- possible legal liability.
Maybe I wasn't clear enough. I wouldn't put a system in the DMZ that I
would be greatly upset if it did get trashed.
Obviously I take all the necessary precautions on all the machines in
the DMZ. I also make the packet filter very restrictive, but the fact is
that if someone was *determined* to attack my company, and was
technically competent (IE NOT a script kiddie) they could probably trash
one of the machines in the DMZ. I'd say that the same is true of *any*
network that isn't physically disconnected from the rest of the world.
The packet filter setup makes it that much harder for them to get beyond
the DMZ (And the machines that I set up in a way to make them less
vulnerable to attack) and on to the machines that are on the internal
network, and we're back to the "go attack someone else, it's easier". If
I'd gone for a bastion host / proxy setup, then I'd be open to every
script kiddie that had an exploit for a bug in a service on the
firewall.
As I said, it's a matter of design. If I was running an e-commerce site
I'd look at it in a far different way. Probably involving packet filters
*and* port redirection from a bastion host, but it's unecessarily
complicated for the network we have here, and the limited services being
allowed to the net (WWW site only).
> Fred
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
