Greetings >I'm sorry, but I really don't understand all the extreme caution over >using seperate firewall and server machines. >With an up-to-date installation of (say) debian configured with a good >stateful IPChains firewall, weekly, or better, nightly, updates from the >security feed, the machine is likely to be one of the more secure ones >on the internet, especially considering most people's standards of >"security". Obviously, you would not want to expose more than the barest >neccesary ports to the outside world (mail & web, most likely). >Here at home I have my firewall PC also acting as an internal samba >server, mail server (SMTP & IMAP), etc. All ports with the exception of >SSH and HTTP are firewalled off from the outside world - I even use >fetchmail to clear my mail, so SMTP is not open, either.
1. Being more secure than average is no help against a worm - the right weak point is all that's needed. Ditto real attackers. 2. Mimimal exposure is good. However, you also have to bear in mind what happens when the security of a component fails - does the system break open or fall shut? 3. Running complex services (which are more likely to have exploitable weaknesses) on the firewall makes the firewall subject to attack. If I can root the firewall, it effectively no longer exists - the internal network is fully exposed. 4. Running complex services behind a pinhole in the firewall (but still in the trusted network) means that I have to use the relevant protocol to attack that server. No big deal - I'd have to, anyway. If I can root the server, it becomes a springboard to attack the internal network (plus exposing anything else that server contains); however (unless you've got permissive outgoing policies 8) ) controlling my new conquest is still limited by the firewall's restrictions. 5. Running a separate public server in a DMZ means that, when it is compromised, only the DMZ becomes vulnerable. Going from the DMZ to the trusted network requires an attacker to penetrate a firewall (again), this time without the nice service pinholes. >I'm also puzzled as to how much more secure a seperate firewall and >server would be. If you're going to have to pinhole the firewall for the >web & mail server, it will be directly vulnerable to bugs and loopholes >in those services, and the firewall will still be vulnerable to >TCP/UDP/IP level attacks. Once an intruder gains access to either, they >have essentially unrestricted access to your network anyway. Most of the attacks that hurt are at the application level - and a typical firewall is nicely hardened against OSI layer 3-4 attacks anyway. >Besides, what vitally-important data is being stored here that warrants >this sort of setup? If nothing else, the time involved in rebuilding a network - the default response to a compromised system is 'nuke from a high orbit' - disconnect, wipe, rebuild and secure. Does that all make sense? Theuns KRN NOTICE: This message contains privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that you must not disseminate, copy or take any action in reliance on it. If you have received this message in error please notify Allied Telesyn Research Ltd immediately. Any views expressed in this message are those of the individual sender, except where the sender has the authority to issue and specifically states them to be the views of Allied Telesyn Research.
