OK.. Disclaimer up front. It's quite possible that Mr Loftis and his
organization are in fact quite clued and capable. Also, the concept of
a DMZ firewall is sound, and works well *as part of a total policy*.
In addition, I have *no* knowledge of what Loftis' site's total policy
is, I'm writing about common deficiences and errors I've seen OTHER sites
commit while trying to get a firewall installed.
The average security at most firewall-protected sites can be described
as a Tootsie-Pop - crunchy on the outside, soft and chewey on the inside.
Installing a firewall does *not* excuse a site from being *just* as
security-vigilant as they would be if they did NOT have a firewall at all.
On Fri, 24 Mar 2000 17:26:00 MST, Michael Loftis said:
> No it isn't. Using IPCHAINS for Linux I've already locked off the NFS
> server. I can also (and have) blocked all remote RPC type traffic. This
> allows the internal network to use NFS against the machine w/o
> compromising security. The access list is IP (not domain) restricted as
> well.
Urp. This is a *lot* harder to get right than most sites think. ;)
Hint: NFS is (usually) UDP based. This means you don't even have
to get the sequence number right to do a TCP sequence number hijacking.
(Yes, it's possible you've already thought about all this stuff, and
the firewall and ipchains are actually configured right. On the other
hand, I've encountered a *lot* of sites that configure ipchains to
filter out "bad" addresses and never adequately address the issue of
forged packets and similar nasties. The bad guys keep astounding us -
I personally *never* would have thought of using forged ICMP ECHO REPLY
packets to map a network behind a firewall. ;)
I get *at least* one piece of e-mail per week complaining that my
workstation is portscanning some poor victim's site. The *real*
problem? They downloaded some "synchronize your clock" program, and
forgot to open port 13/37/123 traffic. My workstation is an NTP server
for historical reasons. So they ask for a timecheck, I send them the
time, and their firewall software squawks.
> No the real problem is it cannot be done. There are a limited number of
> IPs available and there is no reason to waste one on the ListServ machine.
Man, you must be *TIGHT* for IP addresses. Your organization isn't
planning to grow anytime soon, is it? (I'm being serious here - if you
are that constrained on IPs, you're in trouble if you intend to grow).
In any case, you don't need an IP address for the Listserv machine - it
is quite feasible to use a CNAME to point to another machine, and run
Listserv and whatever else on the same box. It would not be difficult
at all to get Listserv to co-exist on your Web server (unless you are
already seeing capacity problems on your web server - see below).
> The other reason is the ListServ is on the other side of the DMZ of the
> firewall. Moving it into the DMZ would be a breach of security (because
> it's used for other things) for one, and for two would require either
This shows two things: First, that your site policy doesn't prohibit
running Listserv on the same box as other processing, and second, that
you already understand how to get Listserv to "play nice" address-wise.
> physical relocation of the machine to the server room (out of the
> question, there isn't any space left) or dropping a new wire (also out of
> the question because our security policy does not allow any DMZ computer
> to reside outside of the secured and locked server room).
Man, that's a *cramped* machine room, or you're planning some *very*
serious mail processing. And if you're planning THAT much mail handling,
it's going to *really* do a fandango on your firewalls..
I could see how you might have trouble finding room for our
organization's current main mail hub in a small closet, as it's a Sun
E6500 taking up 2 19" racks. On the other hand, our current Listserv
box (IBM RS6K-F30) is about the same size as your average Compaq or
Dell deskside PC, and we used an IBM RS6000-250 as a Listserv machine
for quite some time, that was a tiny little pizza-box. In a pinch, a
-250 *will* run perfectly fine without a keyboard/mouse/monitor (and
can even boot in that configuration), only needing a laptop with a
RS232 cable and a modem program if it is totally dead in the water.
I've seen a number of companies offering 1 and 2-space rackmount Linux
servers that would probably offer even more bang per rackmount inch.
In 1 unit of space, you should be able to get up to the first million
or so hit/deliveries per day. If you are *OUT* of rackspace slots and
don't even have 1 unit of space left, you got bigger problems than
where to run Listserv ;)
I'm failing to see what the concern about running Listserv on the same
machine as the Web server is. Unless there's a policy reason saying
*thou shalt not* share anything with the webserver, or you are already
capacity-wise stuck (see above regarding space, and what you're going
to do regarding upgrading said overloaded webserver), it should
actually be possible to have Listserv and http co-exist on the same box
*more* securely than if you have to build a tunnel out to another
machine (hint - if it's on the *same* box, you can then use ipchains
or firewall it so all the port 2401 traffic is restricted to the
loopback interface). That way, you don't have to worry about NFS or
port 2401 traffic being forged, intercepted, or sniffed (and for those
of who who didn't know, it *IS* possible to sniff traffic for other
ports on most vendor's switched Ethernet hubs - do NOT bet your
security plans on that).
Most sites have the luxury of being able to base their security plans
on the assumption that *some* of your own users *may* go bad. We have
to assume that our own users are the enemy (anybody *else* out there
had one of your own users try to hack a new server less than 10 minutes
after its network connection went live? ;)
I'll state for the record that our servers are in a locked/secured
room. However, I've also seen a *lot* of sites that say "DMZ computers
are in a locked room" but the policy is *NOT* thought through. Just
the other day, I was using my security badge to get into our machine
room, and a manager-level co-worker made a comment regarding "they'll
let any riff-raff in now". I pointed out to him that in fact, I was
*more* dangerous sitting in the comfort of my much-less secure office.
Our routers and networking gear are in locked wiring closets because
we're a university, and non-physically secured locations are assumed to
be *actively* hostile (I.e. theft, physical-access attacks on a server,
etc). However, we consider our machine room more for environmental
reasons (power, halon, raised floor, etc) than security. Most
network-based attacks don't care in the slightest if a machine is
physically secured, and most sucessfull network security plans do *not*
rely on physical security of *other* machines in the DMZ. If you are in
the DMZ, and trust another machine in the DMZ, it doesn't matter in the
slightest if that machine is hacked via the net or via physical
attack. This has major implications that *a lot* of sites miss...
Do PCs/worstations in *unsecured* areas have network connections in
your behind-the-firewall zone that can reach DMZ machines? Are *all*
visitors escorted at all times? Do any of your PC's have modem
connections? Have you you addresses social engineering issues? Have
you addressed virus-scanning and trojan-horse issues (consider a
carefully crafted malicious e-mail attachment that contains a
screensaver, trojaned to install Back Orifice or other trojan 3 weeks
after initial reciept of the attachment, and configured to Do Something
Nasty to a machine in your DMZ from a PC in your office areas. Yes,
this has been seen before).
Of course, your servers *all* have all the latest patches installed,
right? And you *did* verify that said patches were *from the vendor*,
and not trojan'ed, right? (See CERT announcement CA-99-01)
And always keep in mind that although "teenage mutant ninja internet hacker"
is the newsworthy buzzword these days, most attacks are currently
believed by the security community to be (a) unreported/undetected,
and (b) usually an inside job. Check all your staffers to make sure
that their gruntles are present - the disgruntled ones are dangerous.
Paranoid yet? ;) Good. Just remember to be paranoid about the RIGHT things. ;)
/Valdis
|
