On Sat, Jun 08, 2002 at 06:38:22PM -0700, Michel Py wrote: > - With an RFC 1918 host behind a firewall, compromising the firewall is > enough to grant that host outside access. Single point of failure. > > - With a site-local only host behind a firewall, this become a double > hack thing: you need to reconfigure the firewall _and_ reconfigure the > host to give it a public IP. > > Let's look at the following situation: The hacker can reconfigure the > firewall and is using an OS vulnerability that allows him to read data > from the hosts but not to reconfigure it.
virtually all 1918 "firewalls" I've experienced are at least capable, most
also configured to do NAT. Having NAT at the border of your firewall allows
Joe E. Hacker to get access to the internal machines by using pre-existing
border router capabilities.
I see no difference to the "public addresses and configured firewall"
scenario here - only that it slightly more difficult to set up and maintain,
thus slightly more easy to misconfigure. Oh, and it breaks lots of existing
and future protocols for machines that need access to the outside - or
requires to put specialized active code for each of them at the border.
Now, if you're talking about a firewall with internal 1918 addressing
that does NOT do IPNAT, I admit you're right. However, in that case, it
is easier to leave the cables disconnected, isn't it?
Ok, there might be a third class of machines besides "inside,
noaccess", and "outside" - "inside, global address, access to outside,
but need access to inside". In this case, Joe E. Hacker will attack
one of the third class machines to get access to the "secure" inside
machines. Single point of failure again, possibly multiple parallel
instances of it.
Regards,
-is
msg06565/pgp00000.pgp
Description: PGP signature
