OK.. Disclaimer up front. It's quite possible that Mr Loftis and his organization are in fact quite clued and capable. Also, the concept of a DMZ firewall is sound, and works well *as part of a total policy*. In addition, I have *no* knowledge of what Loftis' site's total policy is, I'm writing about common deficiences and errors I've seen OTHER sites commit while trying to get a firewall installed. The average security at most firewall-protected sites can be described as a Tootsie-Pop - crunchy on the outside, soft and chewey on the inside. Installing a firewall does *not* excuse a site from being *just* as security-vigilant as they would be if they did NOT have a firewall at all. On Fri, 24 Mar 2000 17:26:00 MST, Michael Loftis said: > No it isn't. Using IPCHAINS for Linux I've already locked off the NFS > server. I can also (and have) blocked all remote RPC type traffic. This > allows the internal network to use NFS against the machine w/o > compromising security. The access list is IP (not domain) restricted as > well. Urp. This is a *lot* harder to get right than most sites think. ;) Hint: NFS is (usually) UDP based. This means you don't even have to get the sequence number right to do a TCP sequence number hijacking. (Yes, it's possible you've already thought about all this stuff, and the firewall and ipchains are actually configured right. On the other hand, I've encountered a *lot* of sites that configure ipchains to filter out "bad" addresses and never adequately address the issue of forged packets and similar nasties. The bad guys keep astounding us - I personally *never* would have thought of using forged ICMP ECHO REPLY packets to map a network behind a firewall. ;) I get *at least* one piece of e-mail per week complaining that my workstation is portscanning some poor victim's site. The *real* problem? They downloaded some "synchronize your clock" program, and forgot to open port 13/37/123 traffic. My workstation is an NTP server for historical reasons. So they ask for a timecheck, I send them the time, and their firewall software squawks. > No the real problem is it cannot be done. There are a limited number of > IPs available and there is no reason to waste one on the ListServ machine. Man, you must be *TIGHT* for IP addresses. Your organization isn't planning to grow anytime soon, is it? (I'm being serious here - if you are that constrained on IPs, you're in trouble if you intend to grow). In any case, you don't need an IP address for the Listserv machine - it is quite feasible to use a CNAME to point to another machine, and run Listserv and whatever else on the same box. It would not be difficult at all to get Listserv to co-exist on your Web server (unless you are already seeing capacity problems on your web server - see below). > The other reason is the ListServ is on the other side of the DMZ of the > firewall. Moving it into the DMZ would be a breach of security (because > it's used for other things) for one, and for two would require either This shows two things: First, that your site policy doesn't prohibit running Listserv on the same box as other processing, and second, that you already understand how to get Listserv to "play nice" address-wise. > physical relocation of the machine to the server room (out of the > question, there isn't any space left) or dropping a new wire (also out of > the question because our security policy does not allow any DMZ computer > to reside outside of the secured and locked server room). Man, that's a *cramped* machine room, or you're planning some *very* serious mail processing. And if you're planning THAT much mail handling, it's going to *really* do a fandango on your firewalls.. I could see how you might have trouble finding room for our organization's current main mail hub in a small closet, as it's a Sun E6500 taking up 2 19" racks. On the other hand, our current Listserv box (IBM RS6K-F30) is about the same size as your average Compaq or Dell deskside PC, and we used an IBM RS6000-250 as a Listserv machine for quite some time, that was a tiny little pizza-box. In a pinch, a -250 *will* run perfectly fine without a keyboard/mouse/monitor (and can even boot in that configuration), only needing a laptop with a RS232 cable and a modem program if it is totally dead in the water. I've seen a number of companies offering 1 and 2-space rackmount Linux servers that would probably offer even more bang per rackmount inch. In 1 unit of space, you should be able to get up to the first million or so hit/deliveries per day. If you are *OUT* of rackspace slots and don't even have 1 unit of space left, you got bigger problems than where to run Listserv ;) I'm failing to see what the concern about running Listserv on the same machine as the Web server is. Unless there's a policy reason saying *thou shalt not* share anything with the webserver, or you are already capacity-wise stuck (see above regarding space, and what you're going to do regarding upgrading said overloaded webserver), it should actually be possible to have Listserv and http co-exist on the same box *more* securely than if you have to build a tunnel out to another machine (hint - if it's on the *same* box, you can then use ipchains or firewall it so all the port 2401 traffic is restricted to the loopback interface). That way, you don't have to worry about NFS or port 2401 traffic being forged, intercepted, or sniffed (and for those of who who didn't know, it *IS* possible to sniff traffic for other ports on most vendor's switched Ethernet hubs - do NOT bet your security plans on that). Most sites have the luxury of being able to base their security plans on the assumption that *some* of your own users *may* go bad. We have to assume that our own users are the enemy (anybody *else* out there had one of your own users try to hack a new server less than 10 minutes after its network connection went live? ;) I'll state for the record that our servers are in a locked/secured room. However, I've also seen a *lot* of sites that say "DMZ computers are in a locked room" but the policy is *NOT* thought through. Just the other day, I was using my security badge to get into our machine room, and a manager-level co-worker made a comment regarding "they'll let any riff-raff in now". I pointed out to him that in fact, I was *more* dangerous sitting in the comfort of my much-less secure office. Our routers and networking gear are in locked wiring closets because we're a university, and non-physically secured locations are assumed to be *actively* hostile (I.e. theft, physical-access attacks on a server, etc). However, we consider our machine room more for environmental reasons (power, halon, raised floor, etc) than security. Most network-based attacks don't care in the slightest if a machine is physically secured, and most sucessfull network security plans do *not* rely on physical security of *other* machines in the DMZ. If you are in the DMZ, and trust another machine in the DMZ, it doesn't matter in the slightest if that machine is hacked via the net or via physical attack. This has major implications that *a lot* of sites miss... Do PCs/worstations in *unsecured* areas have network connections in your behind-the-firewall zone that can reach DMZ machines? Are *all* visitors escorted at all times? Do any of your PC's have modem connections? Have you you addresses social engineering issues? Have you addressed virus-scanning and trojan-horse issues (consider a carefully crafted malicious e-mail attachment that contains a screensaver, trojaned to install Back Orifice or other trojan 3 weeks after initial reciept of the attachment, and configured to Do Something Nasty to a machine in your DMZ from a PC in your office areas. Yes, this has been seen before). Of course, your servers *all* have all the latest patches installed, right? And you *did* verify that said patches were *from the vendor*, and not trojan'ed, right? (See CERT announcement CA-99-01) And always keep in mind that although "teenage mutant ninja internet hacker" is the newsworthy buzzword these days, most attacks are currently believed by the security community to be (a) unreported/undetected, and (b) usually an inside job. Check all your staffers to make sure that their gruntles are present - the disgruntled ones are dangerous. Paranoid yet? ;) Good. Just remember to be paranoid about the RIGHT things. ;) /Valdis