[NEWS] SMC Barricade's Dodgy "DMZ" Feature

From: support@securiteam.com
Date: 12/28/01

From: support@securiteam.com
To: list@securiteam.com
Date: Fri, 28 Dec 2001 13:29:47 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  SMC Barricade's Dodgy "DMZ" Feature


<http://www.smc.com/index.cfm?action=products_show_product&productcode=SMC7004ABR> SMC Barricade (SMC7004ABR) is a all-in-one networking solution for home and small business users. A security related design flaw in the product does not separate internal hosts from DMZed networks as it should, allowing compromised hosts in the DMZ full access to the internal network.


As many of us know, hosts in a DMZ ("De-Militarized Zone") should not be
able to initiate connections to internal LAN hosts. The whole point of
having a DMZ is to prevent LAN hosts from also being compromised, should a
DMZ host be compromised (from having its connected-to-from-the-internet
services, like web or ftp, compromised). However, when you set one of your
LAN hosts to be the "virtual DMZ host" in SMC Barricade, that host can
still connect in any usual way (i.e. ping, SSH, etc) to the other LAN
hosts. In other words, the "virtual DMZ host" is still part of the LAN,
not "quarantined" somehow in a little network of its own.

Vendor response:
SMC has explained this by using a different definition of a DMZ, which
basically goes like this: when you want to use network software that
doesn't use standard ports (like ICQ file transfers), it's convenient to
be able to back off all the firewall rules for a given host, so all ports
are available. You will notice this definition results in less security,
not more. According to SMC, this definition is the norm used by virtually
all other home firewall appliance manufacturers, apparently, this makes it

Possible solutions:
Do not use the DMZ feature on the Barricade, add firewalling rules on all
LAN boxes to protect them from the DMZ host. Although cumbersome, this
should approximate the functionality of a DMZ.


The information has been provided by
<mailto:Dustin.Harriman@AnalogSynthesis.com> Dustin Harriman.


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.