Re: lighting---hacked!

From: Alan W. Frame (alan.frame@acm.org)
Date: 05/17/02

• Next message: Alan W. Frame: "Re: dhcpd + ip aliasing"
• Previous message: David K. Means: "Re: apache log files again"
• In reply to: Simon Matthews: "Re: lighting---hacked!"
• Next in thread: Erik: "Re: lighting---hacked!"
• Reply: Erik: "Re: lighting---hacked!"
• Reply: Simon Matthews: "Re: lighting---hacked!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: alan.frame@acm.org (Alan W. Frame)
Date: Thu, 16 May 2002 23:38:02 +0100

Simon Matthews <nobody@devnull.none> wrote:

> On Thu, 16 May 2002, Alan W. Frame wrote:
>
> > Simon Matthews <nobody@devnull.none> wrote:
[]
> > > Finally, many people would disagree with the concept of having a "private"
> > > interface on a web server.
> >
> > Why?
> >
> Because if the box is compromised, then the attacker now has a box with an
> interface on your private network. He can use this to attack anything that
> is behind the firewall and is probably not so well protected.

Yes, but you stick *another* firewall/'router with attitude' between the
web server and the private network.

> If I have mis-understood what you mean by a private interface, please
> explain further.

What you're saying is true, but the idea of a screened subnet
architecture with dual-homed bastion hosts[0] is that you have:

internet
   |
Exterior router (firewall)
    |
 ------------- [Outer DMZ - subnet #1]
 | |
bastion1 bastion2..N
 | |
 ------------- [Inner DMZ - subnet #2]
    |
interior router (choke)
    |
   LAN------workstations------

Using the statefullness of iptables, it's trivial to only allow
connections initiated *from* the LAN through the interior router onto
the inside interface of the bastion hosts.

e.g: (with an iptables default deny on *all* tables on *all* hosts)

Exterior router: forward table - new incoming connections on outside
interface from anywhere to port 80 on www bastion, established & related
return traffic.

Bastion(web server): input table - new incoming connections on outside
interface from anywhere to port 80; new incoming connections on insude
interface from LAN to port 22.
output table - established & related return traffic.

Interior router: forward table - new incoming connections on inside
interface from LAN to port 22 on www bastion, established & related
return traffic.

The bastion ssh listener is only active on the inside interface - if
that box is compromised, then it's hard to attackthe LAN; because of the
egress filtering on the firewall, even if the web server is IIS, Code
Red/nimda/ftp-ing down a rootkit/etc won't work.[1]

As far as the bastion web server is concerned, you've reduced your
concern to application-level vulnerabilities, and need only worry about,
say Apache exploits - nothing else can hit that bax.

The interior and exterior routers may only allow console acess, but
you'll probably find that your web designers don't like manyally typing
their content on the console of the web server...
For extra flavor, have the interior router and bastion only allow
connections from your (specified by IP address) internal 'staging area'
server that does rsync over ssh

That's for a public-facing web host with ssh admin from the LAN -
running mail/dns/outgoing squid proxy on another bastion, and choosing
whre to DNAT/SNAT is left as an exercise for the reader... ;-)

rgds, Alan
[0] As described in Ora's _Building Internet Firewalls_, Chapter 4
[1] For that reason, your sugestions about not running *any* services on
the firewall are correct - it's kinda hard[2] to crack a box that's just
routing.
[2] low-level IP attacks excepted, but at least you're not worring about
useland stuff like SSH exploits on *that* box.

-- 
99 Ducati 748BP, 95 Ducati 600SS, 81 Guzzi Monza, 74 MV Agusta 350
"Ride to Work, Work to Ride" SI# 7.067 DoD#1930 PGP Key 0xBDED56C5

---

• Next message: Alan W. Frame: "Re: dhcpd + ip aliasing"
• Previous message: David K. Means: "Re: apache log files again"
• In reply to: Simon Matthews: "Re: lighting---hacked!"
• Next in thread: Erik: "Re: lighting---hacked!"
• Reply: Erik: "Re: lighting---hacked!"
• Reply: Simon Matthews: "Re: lighting---hacked!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: lighting---hacked! ... > interface on your private network. ... web server and the private network. ... connections initiated *from* the LAN through the interior router onto ... the inside interface of the bastion hosts. ... (comp.os.linux.security) Re: Can I run web server on DHCP client to control onboard relays from anywhere within subnet ... interface, can I run web server on DHCP client?. ... that web page of that board and control relays from anywhere within ... subnet, they want to control some LED on this board using ... (comp.os.linux.embedded) Re: Between C++ and web server ... bunch of C++ code that works, there may be no reason to bring Java ... servers except IE share an interface? ... Every web server has a different interface. ... compiled libraries. ... (comp.lang.java) Re: can you put a strong name assembly in a role? ... > virtual exact copy of the touch panel interface and control it as if you ... The web server on the device ... Might it be possible to use your network to limit the callers rather than ... (microsoft.public.dotnet.security) Re: Ping works, internet does not. Im missing something here.. ... I would telnet into 3620 interior router and "show cdp neighbors" to ... outer switch. ... Is there connectivity between those two devices? ... Give us a "show interface fastethernet 0/0" so we can see interface ... (comp.dcom.sys.cisco)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)