At 12:38 PM 11/24/99 +0000, Gavin Kerr wrote:
> If you are saying that there are some attacks for which an application
> gateway leaves you vulnerable that a packet filter doesn't... well
> maybe I am tired (leaving myself a not-so-graceful out), but I don't
> think so. Maybe it is semantics. Would you be specific?
An application proxy (Bastion host) is generally more susceptible to a
direct attack. It is running services etc and, therefore, has bugs that
can be exploited.
I see your point, but it is based on the false premise. First, we ought to clarify terms. A "bastion host" is a hardened host (often running a multipurpose operation system, such as UNIX or NT) usually used as a foundation for a firewall. This can be any kind of firewall -- application gateway (aka proxy-based), circuit, packet filter -- stateful/dynamic or static, or a hybrid. A "bastion host" can (should) also be the foundation for a web server, for example.
A bastion host, by definition, does not run a lot of services. Those that it does run are made as secure as possible. While the base OS is generally more complex than that of a router, and so possibly more vulnerable to attack, router operating systems have had reported vulnerabilities (see CERT advisories on Cisco IOS).
A packet filter (as was said before) allows a person to connect directly
to a machine inside your network.
Of course, which is what makes the statement that this is your standard, recommended configuration so extraordinary.
So they are both "vulnerable" to different kinds of attack. In the case
of the proxy host, to a direct attack, and in the case of a packet
filter, to an attack on your actual systems.
So in the first case the firewall can be attacked and may make your entire network vulnerable. In the second case, every host on the inside can be attacked making your entire network vulnerable. Along with Mark Twain, I like putting all my eggs in the one basket...
The packet filter setup makes it that much harder for them to get beyond
the DMZ (And the machines that I set up in a way to make them less
vulnerable to attack) and on to the machines that are on the internal
network, and we're back to the "go attack someone else, it's easier". If
I'd gone for a bastion host / proxy setup, then I'd be open to every
script kiddie that had an exploit for a bug in a service on the
firewall.
This would be true if the bastion host were not a bastion host. But then in your suggested setup every internal host is at the mercy of every script kiddie who has a script for any of your allowed services that you allow from the outside to every inside host.
As I said, it's a matter of design. If I was running an e-commerce site
I'd look at it in a far different way. Probably involving packet filters
*and* port redirection from a bastion host, but it's unecessarily
complicated for the network we have here, and the limited services being
allowed to the net (WWW site only).
Granted for a particular network the less granular, more permissive filtering setup you describe is probably adequate. What got my attention was your statement that this is your commonly recommended configuration. Nevertheless I am not looking for a fist fight after school on the playground. :-)
Fred
Avolio Consulting
16228 Frederick Road, PO Box 609, Lisbon, MD 21765, US
+1 410-309-6910 (voice) +1 410-309-6911
(fax)
