On Mon, 4 Dec 2000, Samir Fahim wrote:
> Oooh calm down there !
I'm perfectly calm.
> What I meant by opening TCP high ports on the Firewall is the normal
> procedure if you have an application running at high ports and you want to
> debug it to perform some fine tuning on your application. Since the deamons
In a well-run environment, application debugging shouldn't be happening
between an Internet exposed host and a protected network. Do you think
it's common practice to not have development machines? Best practice? I
happen to think that a good firewall administrator should be in a stable
enough place to be able to enforce general "goodness" in a organization.
> running at tcp-high should not provide root access(wr) on your system; the
> risk to provide root-access with your application is low! BUT still exists.
> An FTP deamon contains "some" risks because it runs in TCP-low. The best
> way to solve it in my opinion is by
It's pretty easy to change the water-mark for priv. ports in most modern
OS'. That doesn't always mitigate the largest risk, and assumes a
correctly administered and patched system- a rarity these days it would
seem.
>
> 1)using a "proxy server" between your CORBA server and Firewall, and let
> every at random cessions be port-mapped by your proxy to a know port of
> your choice; after that define a rule on your Firewall for this typical
> traffic.
My contention is that automatically deciding that random port-hopping
CORBA applications should automatically pass trust boundaries is a bad thing.
The proclivity for some administrators to roll over at any sign of poor
protocol design sets us all back. You're assuming a predicate of passing
the traffic and figuring out how to do it while I'm contesting the
predicate itself.
> 2)If you have a RAPTOR Proxy Firewall, you can define a proxy-deamon on
> your Firewall that fits your CORBA application. The Raptor Firewall also
> provides the possibility of OS hardening(strips the OS & kills all
> unnecessary applications & shells running on your Firewall) by default.
I doubt your definition of proxy matches mine. I'm no plug-gw fan either.
> 3) Use HP-VVAULT B2 OS, ... for more info check www.hp.com/security
Compartmented OS' are a good architecture but not too widely deployed.
That's a shame, because they mitigate significant risk when correctly
administered. Problem is that admins will eventually grant rights or
roles that are inappropriate just as they'll pass inappropriate traffic.
Hence we draw a circle.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
