Re: [fw-wiz] Flat vs Segmented DMZ's

From: Mikael Olsson (mikael.olsson@clavister.com)
Date: 11/06/02

Next message: Paul Robertson: "RE: [fw-wiz] Interlopers on the WLAN"
Previous message: Philip J. Koenig: "RE: [fw-wiz] Interlopers on the WLAN"
In reply to: Dave Piscitello: "Re: [fw-wiz] Flat vs Segmented DMZ's"
Next in thread: Carson Gaspar: "Re: [fw-wiz] Flat vs Segmented DMZ's"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Mikael Olsson <mikael.olsson@clavister.com>
To: Dave Piscitello <dave@corecom.com>
Date: Wed Nov  6 17:17:14 2002

Dave Piscitello wrote:
>
> What's the business rationale for segmenting?

Why, reducing exposure, of course, as with any other security measure.

Good example:
- Let's say we have one DMZ.
- This DMZ contains a web server, likely highly susceptible to attack,
    but that doesn't matter, because it's "in the DMZ", right?
- This DMZ also contains a mail gateway with content filtering, set to
    strip out anything that looks bad, and also to protect the poor
    bloated groupware mail server sitting on the inside.

What happens when the web server gets 0wned?

It is trivial for the attacker to spoof the IP of the mail gateway and:
1. Directly attack the poor exch^H^H^H^Hgroupware mail server on
   the inside, which now has nothing to protect it
or:
2. Send mail with harmful content straight to all recipients.
   Trojan embedded in an IFRAME set to auto-open, anyone?
or:
3. Attack the mail server in case spoofing is too "hard"
   (it isn't, but let's assume it is).
   Obviously this attack wouldn't be through port 25, which could just
   as easily be done from the outside. But maybe through a buffer
   overrun in SSH? (After all, SSH isn't reachable from the outside?)

I don't even need to worry about this attack vector if those two
boxes were sitting in separate DMZs (as in: separate interfaces on
the firewall box), not allowed to communicate with eachother.

Food for thought...
/Mikael

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com

Next message: Paul Robertson: "RE: [fw-wiz] Interlopers on the WLAN"
Previous message: Philip J. Koenig: "RE: [fw-wiz] Interlopers on the WLAN"
In reply to: Dave Piscitello: "Re: [fw-wiz] Flat vs Segmented DMZ's"
Next in thread: Carson Gaspar: "Re: [fw-wiz] Flat vs Segmented DMZ's"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Security Sanity Check - Email server in DMZ or VPN Access
... On 24 Nov 2004 21:23:51 GMT, Eirik Seim wrote: ... It does limit avenues of attack, ... >> mail server is hacked, the hacker still doesn't have access to your LAN. ...
(comp.security.firewalls)
Re: How to stop spammers bringing our server down?
... I have enabled some of the countermeasures e.g. Smurf attack, ... If your users aren't mobile then block everything apart from your user's IP addresses, if they are mobile, make them VPN in to the router before they can connect to the mail server. ... Alternatively, out source your email to someone who can cope and has the tech knowledge to handle attacks ...
(uk.telecom.broadband)
[Full-Disclosure] Administrivia
... The following IP's have been used to attack the list so far: ... << This one actually tried to break into the mail server. ... << This one actually tried to bypass mailman's "security". ...
(Full-Disclosure)
Re: Firewall and DMZ topology
... If the MAIL server is in the DMZ. ... >able to sniff all the traffic on the internal side of the firewall, ... >>The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
(Security-Basics)
Re: Mail Server in the DMZ question
... > I want to have all the mail held on the server in the DMZ, ... > I still have to allow port 25 requests into my secure network. ... (i.e. no other DMZ hosts are allow through in this manner) ... the DMZ host and try to attack your internal machine via port 25, ...
(FreeBSD-Security)