I have to agree w/ Ron. Very very few admins know how or even heard the
phase "harden the box". hell you mention that phase and they look at you
like your stupid! Harden any box, inside or out! Harden it! Damn admins,
they get a cert and think they know the world.
Basically, you only need one firewall. If they hack it, u're LOS. However,
if your OS's are harden you greatly reduce the risk of any more damage. Oh,
and be sure to harden the firewall OS. If your policy is to go down and
ipfwd is off. They have to hack the firewall OS.
Oh and one more thing. If your going to leave telnet open. Turn the
welcome banner OFF. <-- Quickiest way to find what OS is running on a box.
-Allen
----- Original Message -----
From: "Ron DuFresne" <[EMAIL PROTECTED]>
To: "Eric Johnson" <[EMAIL PROTECTED]>
Cc: "Alvin Oga" <[EMAIL PROTECTED]>; "William Bartholomew"
<[EMAIL PROTECTED]>; "'[EMAIL PROTECTED]'"
<[EMAIL PROTECTED]>
Sent: Thursday, July 12, 2001 10:11 PM
Subject: Re: Personal Firewalls
>
> Why does everyone want to put up another firewall all the time, must be
> catch-phrase time in security. As we mentioned, this does not require
> another FW unless I misread something here, harden the exposed host and
> only allow the inside to connect out to it. It's main purpose is to
> gather stuff from an insecure net, and transfer that data inside. It is
> hardened only to make it more dificult to comprmise and thus reduce time
> required to fix.
>
>
> How many admins that work on inside networks actually know how to install
> even a semi-hardened server these days? Afterall, most incidents happen
> behind the firewall...
>
> Thanks,
>
> Ron DuFresne
>
>
> On Thu, 12 Jul 2001, Eric Johnson wrote:
>
> > At 04:56 PM 7/12/2001 -0700, Alvin Oga wrote:
> >
> > >hi ...
> > >
> > >just my $0.02 worth...
> > >
> > > >
> > > > Would it be better to put it out on the DMZ or to run two DMZ's?
> > > >
> > > > I'd think it would be better to run two firewalls. Something like:
> > > >
> > > > Router/Firewall
> > > > |
> > > > DMZ
> > > > |
> > > > Firewall ---- ADSL machine -- Router/Firewall -- ADSL
> > > > |
> > > > Internal Network
> > >
> > >dmz machines are endpoints... it shouldn't pass traffic to internal
> > > lans and firewalls
> > >
> > >
> > >If time and cost and maintenance and skills was more of an issue ...
> > >I'd propose a simpler solution for some personal networks
> > >
> > >
> > > internet
> > > |
> > > |
> > >adsl router/firewall ( hardware version ? )
> > > |
> > > f i r e w a l l ( ipchians etc )
> > > | |
> > > dmz internal lan
> > >192.168.x 10.0.1.x
> > >
> > >internal lan should NOT allow incoming traffic to the internal lan
> >
> > I have seen diagrams like that, but they make me a bit nervous
> > having only a single point of failure to compromise the internal
> > network.
> >
> > But you are right in one respect. Maybe my drawing should have been
> > something like this instead:
> >
> > Router/Firewall -- DMZ
> > |
> > Firewall ---- ADSL machine -- Router/Firewall -- ADSL
> > |
> > Internal Network
> >
> > My understanding of a DMZ is that it is usually one or more
> > computers that are hardened and somewhat protected by a
> > firewall or a router with ACL lists. I really didn't mean that the
> > traffic from the internal network to the internet would pass through
> > each computer in the DMZ. Just that the company firewall itself
> > is in the DMZ.
> >
> > Also, in the message that started this, I had the impression that
> > they actually have two internet connections. One through their
> > ISP for general use and an ADSL connection for limited use.
> >
> > >yes... if they hack into the firewall you're hosed... but you're
> > >hosed anyway if they get into any firewall... cause if they get into
> > >one... they can probably get into the 2nd one that is also
misconfigured???
> >
> > Probably. But hopefully by the time they get into one and find out
> > there is another to ge through, they will have been discovered and
> > actions will be started to keep them from going further.
> >
> > It is clear that the company LAN requires more serious protection
> > than does the DMZ. Ideally, the computers in the DMZ should be
> > hardened (it would take a real lunatics put a Windows 95 or 98
> > computer there).
> >
> > In reality, the demands for protection of the DMZ are much different
> > from the demands for protection of the internal network. If you use
> > a firewall to protect the DMZ instead of ACLs on a router, why not
> > use one that is tuned to the job. And for the internal firewall, use
> > one tuned to that job.
> >
> > If you just use one firewall for both, there would seem to be a greater
> > chance of misapplying the rules for one side to also apply to the
> > other. It would be easy to accidentally permit incoming traffic on
> > to the DMZ and the internal network when you really meant to just
> > limit traffic to the DMZ.
> >
> > Of course, a large company might reasonably have a large number of
> > firewalls with individual departments in the company firewalled from
> > the rest of the company.
> >
> > Eric Johnson
> >
> >
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> "Cutting the space budget really restores my faith in humanity. It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation." -- Johnny Hart
> ***testing, only testing, and damn good at it too!***
>
> OK, so you're a Ph.D. Just don't touch anything.
>
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
