On Thu, 20 May 1999, Joshua Chamas wrote:
> One of the fundamental benefits of this architecture is that
> the internal server is not susceptible to arbitrary packets
> sent by an attacker. Only attacks that results in "correct"
> requests to be forwarded can do any harm, and this will narrow
> a hackers field considerably.
Not necessarily, a URI doesn't have a bounded length, so what constitutes
a legal HTTP request is an extrememly large subset of everything. If
you're worried about arbitrary packets, screen the host.
> I believe that reverse proxying services is fairly safe in general
> as long as the proxy is not simply forwarding arbitrary packets
> internally. This architecture is consistent with a DMZ bastion host
> strategy.
No, it isn't consistant with a DMZ bastion strategy in the popular
instantiation of such, where incomming traffic isn't allowed past that
boundary.
> dropped and not forwarded on. I see what you mean, in that reverse proxy
> architecture is not foolproof, but sometimes better than the alternative,
> like giving DMZ hosts access to internal databases.
In general, a proxy to bound database requests is a much, much smaller
subset of everything than a proxy to bound HTTP requests.
> If your opinion is correct, then there's little hope, as most services
> are "securely" run when proxied, like outbound DNS, inbound SMTP, etc.
There is very little hope. That's why IDS systems are quickly becomming
interesting. DNS is a fairly limited protocol, and "proxying" DNS
generally isn't done- DNS is either passed to the client directly, or
passed to an internal nameserver, neither of which is a proxy written
expressly for security, let alone to limit the range of possible attacks
or compromises using DNS as a mechanism or part of a mechanism to further
the compromise of a host or network. SMTP is as bad as HTTP, at least
DNS isn't completely open from a tunneling perspective, though some sort
of rate limitation would really be necessary to mitigate the risk to a
miniscule level.
It's no coincidence that attackers are using SMTP, DNS and HTTP as
tunnels in and out of trojaned machines. I've always had the opinion
that the security job was making that more difficult- not easier.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
