RE: Is this as bad as it seems?
From: Gino Genari (mail226518@pop.net)Date: 07/29/02
- Previous message: Johan De Meersman: "Re: Application passwords"
- In reply to: Jay: "Is this as bad as it seems?"
- Next in thread: Stefan Osterlitz: "Re: Is this as bad as it seems?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Gino Genari" <mail226518@pop.net> To: "Jay" <lorddark98@yahoo.com>, <security-basics@securityfocus.com> Date: Mon, 29 Jul 2002 12:00:47 -0400
Here is something I can think of (very general concept):
1. - Use some kind of exploit to install a reverse tunnel on one of the
public servers.
2. - Use this reverse tunnel to install some kind remote control program.
3. - Use the remote control program to attack the rest of the network.
I see the PCanywhere port as a huge hole, what if the IP address of an
allowed port was spoofed, and PCanywhere cracked on the internal machine?
Skip steps 1 and 2 and go directly to 3.
Anyone see any problems with this scenario?
Gino.
-----Original Message-----
From: Jay [mailto:lorddark98@yahoo.com]
Sent: Sunday, July 28, 2002 3:22 PM
To: security-basics@securityfocus.com
Subject: Is this as bad as it seems?
I just inherited a network with what I believe are
numerous security holes. Here is an overview.
(1) No firewall. All inbound traffic is filtered by
an access list on the router, as to port and protocol
allowed. Basically, only the typical ports for web,
FTP, DNS, pcAnywhere, plus a few others, are left
open, and the access list is written to filter out
strings from Code Red.
(2) No DMZ. Web and FTP servers, holding hosted
customer accounts (customers have access via FTP), are
on the same physical segment as the internal
workstations. The only line in the sand is the office
machines are on a different subnet than the public
machines.
(3) One NT domain (named after the internet domain) is
shared among the public servers and internal machines.
Several of the public servers server double-duty as
the domain's PDC and BDC, database servers, as well as
the mail and DNS servers for both public and private
use.
My questions are, (1) how effective is a router-based
access list that blocks ports, compared to a firewall?
Pros? Cons? (2) Is it correct that putting public
and private hosts on different subnets is nothing more
than minimal security by obscurity, and a major risk?
(3) Is it as crazy as it seems, to put your domain
controllers on public hosts? My thought is, a hacker
who "owns" a PDC will own the entire network's
security.
Management believes this configuration is safe enough
because (1) malicious traffic is "stopped at the
router"; (2) there is no risk from malicious web
hosting clients because their accounts are User-level
accounts with FTP-only access, and therefore cannot
run malicious programs; and (3) they aren't
particularly concerned with systems compromise via
DNS, DC, SQL, or other attacks aimed at
publicly-accessible services, again because of the
router access lists blocking most ports.
Basically, they believe the access list at the border
is exceptionally effective because you can't get
attacked by what can't reach your hosts. My
background has primarily been desktop and application
support, so the responsibility of server/network
security is new to me.
I believe this network is a disaster waiting to
happen, but I don't have enough knowledge on the
subject to create a detailed list of what's wrong for
my boss. I'm asking for any advice, URLs, etc., that
address what I believe are gaping holes mentioned
above, plus those which I may not have thought of.
__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com
- Previous message: Johan De Meersman: "Re: Application passwords"
- In reply to: Jay: "Is this as bad as it seems?"
- Next in thread: Stefan Osterlitz: "Re: Is this as bad as it seems?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
