On Sun, 9 Jun 2002, Michel Py wrote: > IPv4 / RFC1918 : > ---------------- > - The network has a stateful firewall and uses NAT. > - There is a web server with a public IP address in the DFZ. > - There is a database server with an RFC 1918 address in the inside. > - The web server needs to access the database server. > - There is a hole in the firewall to let the web server access > the database server. > - There is a backdoor in the database server. (1) > - The hacker wants the contents of the database and knows about > the backdoor. > > How many things are necessary for the hacker to do in order to access > the data? One: compromise the firewall. The hacker opens another hole in > the firewall to allow backdoor access and creates a static NAT mapping > and voila, data is gone.
You take one approach and disregard all the others. The most common way by far, I think, is to compromise the web server and access the database server from there. > How many things are necessary for the hacker to do in order to access > the data? _more_ than one. Assuming web server is compromised, exactly one. > If the hacker compromises the firewall and opens another hole in the > firewall to allow backdoor access, it is not enough because the hacker's > host does not have a route to the database server's site-local address. 1) Just wait for NATv6 if this practise becomes common enough. 2) Use Routing Header to bounce off from a router with both site-local and global address (or site-local routes). Security is about finding the weakest links and strenghtening them. You just looked at only one of them here.. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
