Re: Best security topology for FreeBSD

From: Allen Landsidel (all@biosys.net)
Date: 11/28/01 

Date: Wed, 28 Nov 2001 13:05:01 -0500
To: freebsd-security@freebsd.org
From: Allen Landsidel <all@biosys.net>

At 03:48 PM 11/28/2001 +0000, you wrote:

>Your phrase is equivalent to saying something like this: If you have not
>heard about GMC SUBURBAN ( A really big car) transporting 700 people
>cross-Atlantic - it does not mean it cannot be done. I agree that things
>are a bit more complicated in our world but com'mn... show me how you
>would approach executing a stack on any non-trojaned packet filtering
>device... at least in theory... I thought you couldn't :)

Again.. you miss the point. I'm not suprised. Imagine you have a crummy
stack that just looks at the length header of the packet when getting the
packet, then pushes the actual packet size onto the stack. Which one is
larger or smaller doesn't matter, you've just flubbed the machine and a
smash is inevitable on the return from the call. There are other ways of
doing this as well, and as most smashes go, they all involve specially
constructed packets that are invalid.

I thought I could!

Why were you yelling at me by the way? No need for caps there cowboy.

>This is just silly.... I hope you understand what it means to not allow
>outbound connections. IT would take time to poke around and figure out
>how and what to do on a machine that does not produce an output. Most
>likely the machine will crash....soon... And your "IDS" as in " monitoring
>- analysis - incidence response on network and host levels" not as in " a
>product" WILL TELL YOU ABOUT. THIS IS TIME. Clearly, you are not sure
>what you are saying here.

I certainly know what I'm saying.. I have no idea however what you were
just saying. I couldn't make any sense of this paragraph.

>IN YOUR SINGLE FIREWALL DESIGN - IF A FIREWALL IS COMPROMISED YOUR ENTIRE
>SECURITY MODEL IS BLOWN OUT OF THE WATER!

Yep. In a two firewall design, the same is true. Designing a security
"gray area" into your network is lame.

>THE EXTRA TIME IS THE KEY SECURITY CONCEPT. IF YOU HAVE UNLIMITED TIME -
>YOU CAN GET TO ANYTHING... WELL ALMOST :) Ever wondered why "Important"
>Banks and other installations are not to far from police stations? Your
>phrase that time is not important goes beyond technical incompetence
>right into security ignorance. No offense.

I didn't say time is meaningless, I said your "extra time" is
meaningless. As for your other argument.. is that also the reason that
everything around the bank is where it is.. like the laundromat? For that
heightened security? Maybe it's more likely that the bank was built where
land was cheap, and the same goes for the police station.

>Well actually "ass" is not a very professional term - I would personally
>try to avoid it on the Net - but yes a TCP WRAPPER is a firewall and it is
>recommended to use the as much as possible... More so, IPSec is a firewall
>"concept" because it "authenticates" source and, again, it is recommended.

TCP Wrapper is not a firewall, it's a logging and analysis tool. IPSec is
not a firewall either, it's an encryption and authentication
system. Neither one has anything to do with firewalls.

>Agreed - but we are talking about a firewall compromise here :) This is
>where time and 3-tripple firewall architecture and IDS process comes to
>play... Hope you see this now.

I agree with using an IDS, or as many of them as you can if you're
paranoid. I still don't agree with your "extra time" concept because you
never covered the basic fact that if the firewalls are the same or similar,
you'll probably have all of about 15 seconds before the second one
falls. Chances are you won't even know it happened until it's too
late. Rare is the case where a firewall is compromised and someone
immediately catches on before any damage is done to other systems.

>I am not against the previous definition of a single firewall with three
>interfaces; one for outside, one for inside, and one for the dmz.. but it's
>usually not required.

If it's not required, then by definition, the two firewall design is not
required either. They're the same thing functionally, only requiring less
hardware.

Please fix your mail quoting if you continue to reply.. you had everything
all jumbled this time.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: Where to put my multiple servers?????
    ... Please explain to me how a firewall protects against outbound traffic ... looks at the packet header. ... This article at eEye introduces added security measures of an application ...
    (microsoft.public.windows.server.networking)
  • [UNIX] Flood ACK Packets Cause an IBM SecureWay Firewall to Hang
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... SecureWay is a robust Firewall product developed by IBM that works under ... When an all zeroed flags TCP packet is sent to the SecureWay Firewall, ...
    (Securiteam)
  • Re: Kerio PFW 2.14 - Safe?
    ... >> down user interface. ... Then consider the fact that most packet ... If Kerio 'X' says it's stateful it most ... >> way to know for sure would be to stand between the firewall and the ...
    (comp.security.firewalls)
  • Re: Firewall questions -- what is ...?
    ... packet payload inspection. ... IDS is not a firewall and does not necessarily protect you. ... port number for a well known service and the destination port is above 1023, ... Firewalls and IDS are prone to frequent false alarms. ...
    (microsoft.public.security)
  • Re: Max iptables rules?
    ... Here is my understanding of how Iptables processes firewall rules, ... Lets say the above is our firewall with 1000 rules in it. ... The packet will be compared to the list. ... On the 3rd rule, iptables will find a match and will allow the packet, ...
    (comp.security.firewalls)