On Wed, 16 Nov 2011 08:36:21 EST, Jay Ashworth said: > ----- Original Message ----- > > From: "Jimmy Hess" <[email protected]> > > > Or, the attack is against a legitimate user's outbound connection, for > > example: > > a user behind the firewall connects to a web site, a vulnerability > > in their browser is exploited > > to install a trojan -- the trojan tunnels to the attacker over an > > outgoing port that is allowed on the firewall. > > Oh, certainly; I have lots of web browsers running on my servers. > > All The World Is Not A Workstation, guys.
Is there *anything* on the allegedly protected subnet that has a web browser running on it? Maybe that laptop on the crash cart that you use for downloading firmware and installing it on storage appliances? If it's a corporate-sized NAT, do you have any desktops that have network reachability to the servers (probably do - if the desktops can't reach the servers, the servers aren't useful are they?) and also have web browsers that go to the outside world? I compromise an ad server someplace. Bob over in Accounting visits the CPA forum on the accountants-r-us.com website looking for suggestion on how to handle a tax issue. I now have control of Bob's workstation, and the question of whether your firewall does NAT or not just became totally moot. Defense in depth doesn't mean building a second Maginot Line behind the first is a good idea - it means you *also* have a capable army that will stop a German invasion coming in via Belgium.
pgpHzLjmG1OSR.pgp
Description: PGP signature
