Re: [fw-wiz] X server in a Firewall

On Tue, 24 Jan 2006, John M wrote:

> On the local GUI:
> > The more code, the more potential vulnerabilities,
>
> On remote access:
> > Web servers tend to increase the risk, as does any
> > remote technology.
>
> OK. But what is your recommendation to a fortune 500
> company? :)

If you *must* run a GUI, then lock it down and make the admins run it on
the local console.

> That is, if Coca-Cola wanted a unix based firewall and
> _wanted manage it trough a graphical interface_, what
> would you suggest? A X server running in a firewall
> sounds bad, but a web server or ssh server could be
> even worse (key logger on the management station or
> buffer overflow in the ssh or web daemon and both run
> as root, so to have permission to change the fw rules)

Out of band management (i.e. get off your posterior and walk to the
firewall) is always a winner for me.

I don't like remote access to my firewalls, but if I have to have it, then
it's got to be out of band (really out of band, not VLAN/crypto) if I get
to have my way.

> Besides the firewall, there´s a proxy running on the
> box too (as an unprivileged user), so the box could be
> compromised remotely trough it and the privilege
> escalated trough a X server vulnerability.

If you permission things well, then that should be a low chance.

> I mean, the ssh or web server port used to manage it
> could be vulnerable to a buffer overflow attack, so if
> only a specific IP (the admin) could connect to this
> port, it yet would be vulnerable, but nobody else
> could exploit it, except if they spoof the admin IP :)

If you can't trust your proxies, it's time to change proxies ;)

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact."
http://fora.compuwar.net Infosec discussion boards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • [Full-Disclosure] iPlanet vulnerabilities on IRIX
    ... Multiple vulnerabilities exist in the iPlanet Web Servers as supplied by ... memory of the web server process. ... implemented on ALL vulnerable SGI systems. ...
    (Full-Disclosure)
  • [Full-Disclosure] iPlanet vulnerabilities on IRIX
    ... Multiple vulnerabilities exist in the iPlanet Web Servers as supplied by ... memory of the web server process. ... implemented on ALL vulnerable SGI systems. ...
    (Full-Disclosure)
  • RE: Vulnerability assessment for small business
    ... > Say the customer has a firewall...but they don't host any services. ... You might just concentrate in 2 points: the firewall and the workstations. ... The main vulnerabilities for workstations that you could test for are their ... similar technology is not quite effective against targeted attacks. ...
    (Pen-Test)
  • Re: Firewall assessment
    ... Check the OSSTMM methodology, there's a whole section ... about checking vulnerabilities on firewalls and a list ... > This interesting discussion about firewall ... > technical IT security event. ...
    (Pen-Test)
  • Re: Nortel Contivity 2600
    ... DoS vulnerabilities). ... bear in mind Contivity also has a firewall module that can ... > 2600 VPN device behind a firewall. ...
    (Pen-Test)