Is this as bad as it seems?
From: Jay (lorddark98@yahoo.com)Date: 07/28/02
- Previous message: Larry Thompson: "RE: ARP Floods on port 80"
- Next in thread: Gino Genari: "RE: Is this as bad as it seems?"
- Reply: Gino Genari: "RE: Is this as bad as it seems?"
- Reply: Stefan Osterlitz: "Re: Is this as bad as it seems?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 28 Jul 2002 12:21:49 -0700 (PDT) From: Jay <lorddark98@yahoo.com> To: security-basics@securityfocus.com
I just inherited a network with what I believe are
numerous security holes. Here is an overview.
(1) No firewall. All inbound traffic is filtered by
an access list on the router, as to port and protocol
allowed. Basically, only the typical ports for web,
FTP, DNS, pcAnywhere, plus a few others, are left
open, and the access list is written to filter out
strings from Code Red.
(2) No DMZ. Web and FTP servers, holding hosted
customer accounts (customers have access via FTP), are
on the same physical segment as the internal
workstations. The only line in the sand is the office
machines are on a different subnet than the public
machines.
(3) One NT domain (named after the internet domain) is
shared among the public servers and internal machines.
Several of the public servers server double-duty as
the domain's PDC and BDC, database servers, as well as
the mail and DNS servers for both public and private
use.
My questions are, (1) how effective is a router-based
access list that blocks ports, compared to a firewall?
Pros? Cons? (2) Is it correct that putting public
and private hosts on different subnets is nothing more
than minimal security by obscurity, and a major risk?
(3) Is it as crazy as it seems, to put your domain
controllers on public hosts? My thought is, a hacker
who "owns" a PDC will own the entire network's
security.
Management believes this configuration is safe enough
because (1) malicious traffic is "stopped at the
router"; (2) there is no risk from malicious web
hosting clients because their accounts are User-level
accounts with FTP-only access, and therefore cannot
run malicious programs; and (3) they aren't
particularly concerned with systems compromise via
DNS, DC, SQL, or other attacks aimed at
publicly-accessible services, again because of the
router access lists blocking most ports.
Basically, they believe the access list at the border
is exceptionally effective because you can't get
attacked by what can't reach your hosts. My
background has primarily been desktop and application
support, so the responsibility of server/network
security is new to me.
I believe this network is a disaster waiting to
happen, but I don't have enough knowledge on the
subject to create a detailed list of what's wrong for
my boss. I'm asking for any advice, URLs, etc., that
address what I believe are gaping holes mentioned
above, plus those which I may not have thought of.
__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com
- Previous message: Larry Thompson: "RE: ARP Floods on port 80"
- Next in thread: Gino Genari: "RE: Is this as bad as it seems?"
- Reply: Gino Genari: "RE: Is this as bad as it seems?"
- Reply: Stefan Osterlitz: "Re: Is this as bad as it seems?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
