At 17:07 4/12/2000 -0500, Paul D. Robertson wrote:
>On Mon, 4 Dec 2000, Samir Fahim wrote:
>
>> Oooh calm down there !
>
>I'm perfectly calm.
>
>> What I meant by opening TCP high ports on the Firewall is the normal
>> procedure if you have an application running at high ports and you want to
>> debug it to perform some fine tuning on your application. Since the deamons
>
>In a well-run environment, application debugging shouldn't be happening
>between an Internet exposed host and a protected network. Do you think
>it's common practice to not have development machines? Best practice? I
>happen to think that a good firewall administrator should be in a stable
>enough place to be able to enforce general "goodness" in a organization.
>
>> running at tcp-high should not provide root access(wr) on your system; the
>> risk to provide root-access with your application is low! BUT still exists.
>> An FTP deamon contains "some" risks because it runs in TCP-low. The best
>> way to solve it in my opinion is by
>
>It's pretty easy to change the water-mark for priv. ports in most modern
>OS'. That doesn't always mitigate the largest risk, and assumes a
>correctly administered and patched system- a rarity these days it would
>seem.
>
>>
>> 1)using a "proxy server" between your CORBA server and Firewall, and let
>> every at random cessions be port-mapped by your proxy to a know port of
>> your choice; after that define a rule on your Firewall for this typical
>> traffic.
>
>My contention is that automatically deciding that random port-hopping
>CORBA applications should automatically pass trust boundaries is a bad thing.
>The proclivity for some administrators to roll over at any sign of poor
>protocol design sets us all back. You're assuming a predicate of passing
>the traffic and figuring out how to do it while I'm contesting the
>predicate itself.
>
>> 2)If you have a RAPTOR Proxy Firewall, you can define a proxy-deamon on
>> your Firewall that fits your CORBA application. The Raptor Firewall also
>> provides the possibility of OS hardening(strips the OS & kills all
>> unnecessary applications & shells running on your Firewall) by default.
>
>I doubt your definition of proxy matches mine. I'm no plug-gw fan either.
What is your def of proxy ? I'm sure you know what I mean by proxy in this
case(statefull vs proxy based fw)
In the Raptor Fw you can define your own proxy by means of protocol(TCP,
UDP or both) + ports...
>> 3) Use HP-VVAULT B2 OS, ... for more info check www.hp.com/security
>
>Compartmented OS' are a good architecture but not too widely deployed.
>That's a shame, because they mitigate significant risk when correctly
>administered.
Yep!
Problem is that admins will eventually grant rights or
>roles that are inappropriate just as they'll pass inappropriate traffic.
>Hence we draw a circle.
+- no, You are right at one level but...
since B2 level OS has no root users, indeed you can define a user with all
kind of privileges, but since a particular user can only be granted rwx
access in a particular compartment, he never gets full rw access in another
compartment! This level of AC (MAC + DAC) just protects abuse on the whole
OS and prevents the recreation of a new kind of root user.
regards,
Samir
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
