OK. How about a scenario. The winning respondant will not win a prize unless
they are prepared to pay postage. ;)
I'm about to implement a solution where two networks owned by different
people are sitting "next" to each other. The network of the company I'm
working (Company1) for is connected to the Internet. They have filtering
stuff in place and are happy with the level thereof. Company2 have a higher
security requirement.
Company1 own a dual ethernet router. Eth0 goes to Company1 internal and Eth1
goes to the DMZ between the companies. On the other side of that ethernet
segment is the outside of Company2s firewall stuff which is not directly my
problem.
For a mission critical app, active FTP is required from a Company2 host
_direct_ to a Company1 host and vice-versa. PASV is not an option. I opened
my big mouth and suggested that that really killed the whole point of having
a DMZ and wasn't very secure.
At the time, I suggested putting an OpenBSD box in the DMZ running ipnat
with the FTP proxy that comes built in as a quick fix. The Cisco between C1
and DMZ will let me do SPF and C2s stuff will do the same thing (It's an old
FW-1 - ick). That means that the path between C1 and C2 for FTP will go host
- router (SPF) ipnat (ftp proxy) FW-1 (SPF) host.
My threat model is this: The host in C1's network that is allowed (by IP
address) to FTP to C2 is compromised. I know that if the FTP daemon on C2s
host is bad then that host can be compromised from there.
How about other possible attacks along the bogus PORT command lines?
As an aside, anyone know offhand if I can get OpenBSD to run connections
from both sides through the proxy, not just on the side that gets NAT'ed?
Anyone have any better suggestions for a secure FTP proxy to put in the DMZ?
Cheers,
--
Ben Nagy
Network Consultant, Volante IT
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
> -----Original Message-----
> From: Mikael Olsson [mailto:[EMAIL PROTECTED]]
> Sent: Monday, 12 June 2000 4:00 AM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: ftp-data and MASQerading
[interesting discussion between Carson and Mike snipped]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
