Re: Compromising a host with pf enabled?

Mon, 19 Nov 2007 21:58:16 -0800 

Chris Zakelj wrote:

Clint Pachl wrote:
Is it possible for a cracker to compromise or root a machine on a network that has pf enabled with the single rule "block all in"?
I suspect you're just fishing, but in the interests of spirited debate.... - Is "block in all" the first rule, the last rule, or somewhere in between? (Yes, it DOES matter) - Does the cracker have alternate methods of entry (tty, ssh, console, etc)? 




Not fishing, just thinking. I didn't want to get into too many 
non-OpenBSD details on MISC, but I will expound a little.



I'm trying to design a simple, but secure network with a couple of DMZs 
and a minimum of firewalls. Here is my initial thought.



       [Internet]
           |
           |
[DMZ_2]---[FW]---[DMZ_1]
           |
           |
         [LAN]

DMZ_1 => web servers
DMZ_2 => database servers

LAN   => servers like Kerberos, ntp, DNS, backup (dump via ssh), & 
engineering workstations


Traffic Flow
------------
Internet -> DMZ_1 (people need web pages)
DMZ_1    -> DMZ_2 (get data to populate the web pages)
DMZ_2    -> LAN (for Kerberos, ntp, DNS, backup)
DMZ_1    -> LAN (for Kerberos, ntp, DNS, backup)


Ok, so you're never supposed to let a server on a "public DMZ" access a 
server on your LAN. So I was thinking of creating a management subnet 
that would allow out-of-band services, such as backup, Kerberos, ntp, 
etc. To implement the out-of-band channel, each of the hosts on the DMZs 
would get an additional NIC for communicating on the management subnet. 
None of these hosts would allow packet forwarding and all would use the 
"block in" rule for that interface. There is no need to login to the 
hosts via ssh because they are automatically configured, pulling updates 
from a "golden" server. If a login is needed, it would be from the 
serial console.



Below is my topology re-design that implements the management subnet. 
The DMZs access the LAN directly via the management subnet for Kerberos, 
ntp, backup, and DNS service. I would probably put a network monitor on 
the management subnet to detect suspicious traffic. Is this topology 
insecure? Suggestions and criticisms are very welcome.


       [Internet]
           |
           |
[DMZ_2]---[FW]---[DMZ_1]
  |        |       |
  |        |       |
  ------>[LAN]<-----



In my DMZ research, some sources state that all services need to be 
replicated in each DMZ. Following that advice, I would have to setup 
Kerberos, ntp, backup, and DNS in each DMZ and the LAN; that sounds like 
a lot of work. What do you guys think?


-pachl























					Reply via email to