Re: Is this as bad as it seems?
From: Stefan Osterlitz (osterlitz@p-p.de)Date: 07/29/02
- Previous message: Vasiliy Boulytchev: "Re: Firewall problem"
- In reply to: Jay: "Is this as bad as it seems?"
- Next in thread: Jason Coombs: "RE: Is this as bad as it seems?"
- Reply: Jason Coombs: "RE: Is this as bad as it seems?"
- Reply: Enquiries: "RE: Is this as bad as it seems?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Stefan Osterlitz" <osterlitz@p-p.de> To: "security-basics@securityfocus.com" <security-basics@securityfocus.com> Date: Mon, 29 Jul 2002 18:06:36 +0200
On Sun, 28 Jul 2002 12:21:49 -0700 (PDT), Jay wrote:
>I just inherited a network with what I believe are
>numerous security holes. Here is an overview.
>
>My questions are, (1) how effective is a router-based
>access list that blocks ports, compared to a firewall?
> Pros? Cons?
you remain more vulnerable to DoS attacks and spoofed traffic.
a stateful firewall (as opposed to your router) keeps track of the connections your server has initiated.
data is checked whether it is the answer to an legitimate request your server made.
(2) Is it correct that putting public
>and private hosts on different subnets is nothing more
>than minimal security by obscurity, and a major risk?
as long as there are no routing restrictions between the subnets, there is not even the obscurity ;-))
>(3) Is it as crazy as it seems, to put your domain
>controllers on public hosts? My thought is, a hacker
>who "owns" a PDC will own the entire network's
>security.
>
exactly right. externeal servers should not even be in the same domain as the workstations.
best practice ist to set up one domain per external server or no domain on the servers.
explicitly set trust relations if you have to.
also, create a dmz (put a firewall between external and internal servers)
>Management believes this configuration is safe enough
>because (1) malicious traffic is "stopped at the
>router";
not at all. let us say that 90% of (directed, not worm) attacks bypass a cheap firewall.
for example. almost every workstation functions as a dns client. any incoming udp packet coming from port 53 is allowed in your router.
the latest sql server 2k exploit needed exactly one such packet to own your server....
(2) there is no risk from malicious web
>hosting clients because their accounts are User-level
>accounts with FTP-only access, and therefore cannot
>run malicious programs;
there are usually two grades of exploits: local and remote. as soon as ftp access is allowed, local exploits become feasible.
(if php or perl are allowed (or any active content), it's as good as a shell acount for that purpose)
and (3) they aren't
>particularly concerned with systems compromise via
>DNS, DC, SQL, or other attacks aimed at
>publicly-accessible services, again because of the
>router access lists blocking most ports.
hmmm.. partially right.. if your sql server is not accessible from the outside, it can't be attacked.
but security means just as secure as the weakest link. that could be any of your workstations. your sql server will be accessible to them at least.
*zap - now they are vulnerable again.
>
>Basically, they believe the access list at the border
>is exceptionally effective because you can't get
>attacked by what can't reach your hosts. My
>background has primarily been desktop and application
>support, so the responsibility of server/network
>security is new to me.
draw them a simple diagram.. big red line from the router to the workstations (internet / email traffic)
big red line from each workstation to the relevant servers (application traffic) then put hte simple question: now which server is not accessible?
>
>I believe this network is a disaster waiting to
>happen, but I don't have enough knowledge on the
>subject to create a detailed list of what's wrong for
>my boss. I'm asking for any advice, URLs, etc., that
>address what I believe are gaping holes mentioned
>above, plus those which I may not have thought of.
get a good firewall. you get them for $800 for nearly any size of internet connection.
see cisco, nokia, sonicwall, checkpoint
get a good corporate antivirus for ca $2000 upward as an smtp gateway. check all corporate email
configure your firewall with a dmz setup. separate external servers, internal servers, workstations into three nets
change your domain setup: one domain per server, one internal domain
put one cheap linux machine into your dmz with pop / smtp / http proxies.
this setup costs one week of work plus 3k - 4k $$$ and places you in a better security league than 70 % of corporations worldwide.
Greetings,
Stefan Osterlitz
- Previous message: Vasiliy Boulytchev: "Re: Firewall problem"
- In reply to: Jay: "Is this as bad as it seems?"
- Next in thread: Jason Coombs: "RE: Is this as bad as it seems?"
- Reply: Jason Coombs: "RE: Is this as bad as it seems?"
- Reply: Enquiries: "RE: Is this as bad as it seems?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
