Re: System security question
On Sat, Feb 28, 2009 at 12:40 PM, Jean-Francois wrote: > Hi, > "And I totally agree with you, Mixing firewall services with services > like Web or file/print services is a recipe for disaster." > > True since hacking the web server is entering the firewall itself. > But the web server, httpd, is chrooted ... so why would there be a > problem here ? Because security is never absolute. It is a matter of probabilities, measuring cost against risk, reducing possible attack vectors, and minimizing the effects of a successful attack. In practice, it means following redundant best practice with the assumption that there is a flaw in the system somewhere, so you're going to put as many layers of obstacles as possible between yourself and your attacker. A very simple example is host-based firewalls and network-based firewalls. You use both so that your attacker has that much more protection to wade through before actually getting to your important stuff. Maybe they'll get frustrated and move on. If nothing else, you'll have that much more time to notice the attack in progress. You could probably run your web and file server on your firewall and never have a security breach. Probably, because if you're running all that on the same machine, it's clear you're not a high profile target. The most you'll probably see is SSH brute force attacks and some clumsy attempts at SQL injection. But "probably" is cold comfort if someone exploits a flaw in your web app, gains a local shell (chrooted though it may be), and then leaps to one of your local machines. Or discovers a flaw in the chrooting system. Or finds an exploitable app available in the chroot. Or DOSs your firewall. Or just installs a little app there that adds your firewall/file/web server to their botnet. Or manages to force your internal interface into promiscuous mode. Or... Get the idea? Ultimately, it's up to you. Your firewall is there as a first-line of defense against malicious attacks. Opening additional attack vectors on this machine is a bad idea. Locating your most likely point of failure (your web app) on a machine with unrestricted access to your internal data is a bad idea. But if your data is worth less to you than a second old PC and a couple hours to setup 4.4 and PF, then by all means, run everything on the same box. -HKS
Re: System security question
There is a very good alternative for NFS.The name is scp.A small How-To is described in book Mastering FreeBSD and OpenBSD security. In my point of view firewall must be separate machine in all cases. www and file server on one machine is acceptible solution in case of use of chroot,jail, zones on Solaris or similar solution for small companies. But I think that sooner or later you will decide to buy another machine to separate these services. 2009/2/28 Felipe Alfaro Solana : > On Sat, Feb 28, 2009 at 6:40 PM, Jean-Francois wrote: > >> Hi, >> "And I totally agree with you, Mixing firewall services with services >> like Web or file/print services is a recipe for disaster." >> >> True since hacking the web server is entering the firewall itself. >> But the web server, httpd, is chrooted ... so why would there be a >> problem here ? > > > There are ways to evade chroots, although I'm not sure how feasible they are > for OpenBSD. > > >> Le samedi 28 fC)vrier 2009 C B 17:49 +0100, Felipe Alfaro Solana a C)crit : >> > On Sat, Feb 28, 2009 at 1:51 PM, Ingo Schwarze >> > wrote: >> > B B B B Hi Felipe, >> > >> > B B B B Felipe Alfaro Solana wrote on Sat, Feb 28, 2009 at 10:53:50AM >> > B B B B +0100: >> > B B B B > On Thu, Feb 26, 2009 at 11:13 PM, Ingo Schwarze >> > B B B B wrote: >> > >> > B B B B >> Jean-Francois wrote on Wed, Feb 25, 2009 at 10:08:22PM >> > B B B B +0100: >> > >> > B B B B >>> I actually built the following system : >> > B B B B >>> - OpenBSD running on a standard AMD platform >> > B B B B >>> - This box is actually used as firewall >> > B B B B >>> - This box is also used as webserver >> > B B B B >>> - This box is finally used as local shared drives via NFS >> > B B B B file >> > B B B B >>> B but only open to subnetwork through PF >> > >> > >> > B B B B >> NFS is not designed with security in mind. B It transmits >> > B B B B data >> > B B B B >> unencrypted. B It has no real authentication and no real >> > B B B B access >> > B B B B >> control. B If is designed for strictly private networks with >> > B B B B >> no external access that no potential attackers have access >> > B B B B to. >> > >> > >> > B B B B > Just to clarify, >> > >> > B B B B On an OpenBSD list, i am talking about NFS on OpenBSD >> > B B B B (-current >> > B B B B and -stable), and that's NFSv3. B ;-) >> > B B B B Of course, you are right that i could have mentioned that. >> > >> > B B B B > NFSv4 does not necessarily transmit data in clear text. >> > B B B B > NFSv4 allows one to use encryption and/or data >> > B B B B authentication. >> > >> > >> > B B B B That doesn't help the original poster because NFSv4 is not >> > B B B B available on OpenBSD. B See >> > >> > B B B B B http://marc.info/?l=openbsd-misc&m=123469849717017 >> > B B B B B Peter Hessler wrote on Feb 15, 2009: >> > B B B B B "openbsd uses nfsv3 over ipv4. >> > B B B B B nfsv4 is still being worked on, but is not ready." >> > >> > >> > Well, if NFSv4 is not an option for OpenBSD, then it's clear that NFS >> > on OpenBSD is a very poor choice due to lack of proper authentication >> > and encryption :) >> > >> > B B B B > NFSv3 and older versions do not use encryption at all, >> > B B B B > but you can use IPSec to protect it at the network layer. >> > >> > >> > B B B B I do not know enough about IPSec to judge whether and under >> > B B B B which >> > B B B B conditions it's viable, effective and efficient to secure NFS >> > B B B B usage >> > B B B B in an internal network that attackers have access to by using >> > B B B B IPSec >> > B B B B between the NFS server and each NFS client. B Maybe this could >> > B B B B be >> > B B B B an option. >> > >> > >> > Of course if the attacker can gain remote access to the machine, IPSec >> > is not very useful since the attacker can probably retrieve the >> > encryption keys from the kernel :) >> > >> > >> > IPSec is only useful to prevent attacks (replay, sniff, etc.) from the >> > network. >> > Thanks for pointing this out. >> > >> > >> > B B B B But even if that's sound, which i neither claim nor deny, it's >> > B B B B still >> > B B B B a bad idea to run purely internal services on a firewall, no >> > B B B B matter >> > B B B B whether they use encrtption or not. >> > >> > >> > And I totally agree with you, Mixing firewall services with services >> > like Web or file/print services is a recipe for disaster. >> >> > > > -- > http://www.felipe-alfaro.org/blog/disclaimer/ > > -- http://www.openbsd.org/lyrics.html
Re: System security question
On Sat, Feb 28, 2009 at 6:40 PM, Jean-Francois wrote: > Hi, > "And I totally agree with you, Mixing firewall services with services > like Web or file/print services is a recipe for disaster." > > True since hacking the web server is entering the firewall itself. > But the web server, httpd, is chrooted ... so why would there be a > problem here ? There are ways to evade chroots, although I'm not sure how feasible they are for OpenBSD. > Le samedi 28 fC)vrier 2009 C 17:49 +0100, Felipe Alfaro Solana a C)crit : > > On Sat, Feb 28, 2009 at 1:51 PM, Ingo Schwarze > > wrote: > > Hi Felipe, > > > > Felipe Alfaro Solana wrote on Sat, Feb 28, 2009 at 10:53:50AM > > +0100: > > > On Thu, Feb 26, 2009 at 11:13 PM, Ingo Schwarze > > wrote: > > > > >> Jean-Francois wrote on Wed, Feb 25, 2009 at 10:08:22PM > > +0100: > > > > >>> I actually built the following system : > > >>> - OpenBSD running on a standard AMD platform > > >>> - This box is actually used as firewall > > >>> - This box is also used as webserver > > >>> - This box is finally used as local shared drives via NFS > > file > > >>> but only open to subnetwork through PF > > > > > > >> NFS is not designed with security in mind. It transmits > > data > > >> unencrypted. It has no real authentication and no real > > access > > >> control. If is designed for strictly private networks with > > >> no external access that no potential attackers have access > > to. > > > > > > > Just to clarify, > > > > On an OpenBSD list, i am talking about NFS on OpenBSD > > (-current > > and -stable), and that's NFSv3. ;-) > > Of course, you are right that i could have mentioned that. > > > > > NFSv4 does not necessarily transmit data in clear text. > > > NFSv4 allows one to use encryption and/or data > > authentication. > > > > > > That doesn't help the original poster because NFSv4 is not > > available on OpenBSD. See > > > > http://marc.info/?l=openbsd-misc&m=123469849717017 > > Peter Hessler wrote on Feb 15, 2009: > > "openbsd uses nfsv3 over ipv4. > > nfsv4 is still being worked on, but is not ready." > > > > > > Well, if NFSv4 is not an option for OpenBSD, then it's clear that NFS > > on OpenBSD is a very poor choice due to lack of proper authentication > > and encryption :) > > > > > NFSv3 and older versions do not use encryption at all, > > > but you can use IPSec to protect it at the network layer. > > > > > > I do not know enough about IPSec to judge whether and under > > which > > conditions it's viable, effective and efficient to secure NFS > > usage > > in an internal network that attackers have access to by using > > IPSec > > between the NFS server and each NFS client. Maybe this could > > be > > an option. > > > > > > Of course if the attacker can gain remote access to the machine, IPSec > > is not very useful since the attacker can probably retrieve the > > encryption keys from the kernel :) > > > > > > IPSec is only useful to prevent attacks (replay, sniff, etc.) from the > > network. > > Thanks for pointing this out. > > > > > > But even if that's sound, which i neither claim nor deny, it's > > still > > a bad idea to run purely internal services on a firewall, no > > matter > > whether they use encrtption or not. > > > > > > And I totally agree with you, Mixing firewall services with services > > like Web or file/print services is a recipe for disaster. > > -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: System security question
Ingo Schwarze wrote: > That doesn't help the original poster because NFSv4 is not available on > OpenBSD. Technically there is an NFSv4 client & server available for OpenBSD, although.. it might need some manual tweaks for 4.4 or 4.5. http://snowhite.cis.uoguelph.ca/nfsv4/ + ftp://ftp.cis.uoguelph.ca/pub/nfsv4/OpenBSD4.2/ It is unofficial.. but it does exist, regardless of how many people think otherwise. -Brynet
Re: System security question
Hi, "And I totally agree with you, Mixing firewall services with services like Web or file/print services is a recipe for disaster." True since hacking the web server is entering the firewall itself. But the web server, httpd, is chrooted ... so why would there be a problem here ? Le samedi 28 fC)vrier 2009 C 17:49 +0100, Felipe Alfaro Solana a C)crit : > On Sat, Feb 28, 2009 at 1:51 PM, Ingo Schwarze > wrote: > Hi Felipe, > > Felipe Alfaro Solana wrote on Sat, Feb 28, 2009 at 10:53:50AM > +0100: > > On Thu, Feb 26, 2009 at 11:13 PM, Ingo Schwarze > wrote: > > >> Jean-Francois wrote on Wed, Feb 25, 2009 at 10:08:22PM > +0100: > > >>> I actually built the following system : > >>> - OpenBSD running on a standard AMD platform > >>> - This box is actually used as firewall > >>> - This box is also used as webserver > >>> - This box is finally used as local shared drives via NFS > file > >>> but only open to subnetwork through PF > > > >> NFS is not designed with security in mind. It transmits > data > >> unencrypted. It has no real authentication and no real > access > >> control. If is designed for strictly private networks with > >> no external access that no potential attackers have access > to. > > > > Just to clarify, > > On an OpenBSD list, i am talking about NFS on OpenBSD > (-current > and -stable), and that's NFSv3. ;-) > Of course, you are right that i could have mentioned that. > > > NFSv4 does not necessarily transmit data in clear text. > > NFSv4 allows one to use encryption and/or data > authentication. > > > That doesn't help the original poster because NFSv4 is not > available on OpenBSD. See > > http://marc.info/?l=openbsd-misc&m=123469849717017 > Peter Hessler wrote on Feb 15, 2009: > "openbsd uses nfsv3 over ipv4. > nfsv4 is still being worked on, but is not ready." > > > Well, if NFSv4 is not an option for OpenBSD, then it's clear that NFS > on OpenBSD is a very poor choice due to lack of proper authentication > and encryption :) > > > NFSv3 and older versions do not use encryption at all, > > but you can use IPSec to protect it at the network layer. > > > I do not know enough about IPSec to judge whether and under > which > conditions it's viable, effective and efficient to secure NFS > usage > in an internal network that attackers have access to by using > IPSec > between the NFS server and each NFS client. Maybe this could > be > an option. > > > Of course if the attacker can gain remote access to the machine, IPSec > is not very useful since the attacker can probably retrieve the > encryption keys from the kernel :) > > > IPSec is only useful to prevent attacks (replay, sniff, etc.) from the > network. > Thanks for pointing this out. > > > But even if that's sound, which i neither claim nor deny, it's > still > a bad idea to run purely internal services on a firewall, no > matter > whether they use encrtption or not. > > > And I totally agree with you, Mixing firewall services with services > like Web or file/print services is a recipe for disaster.
Re: System security question
On Sat, Feb 28, 2009 at 05:49:22PM +0100, Felipe Alfaro Solana wrote: [snip] > Of course if the attacker can gain remote access to the machine, IPSec is > not very useful since the attacker can probably retrieve the encryption keys > from the kernel :) And the same is true of NFSv4. And if your attacker is able to read random kernel memory, you've already got bigger issues. - Bert
Re: System security question
On Sat, Feb 28, 2009 at 1:51 PM, Ingo Schwarze wrote: > Hi Felipe, > > Felipe Alfaro Solana wrote on Sat, Feb 28, 2009 at 10:53:50AM +0100: > > On Thu, Feb 26, 2009 at 11:13 PM, Ingo Schwarze > wrote: > >> Jean-Francois wrote on Wed, Feb 25, 2009 at 10:08:22PM +0100: > > >>> I actually built the following system : > >>> - OpenBSD running on a standard AMD platform > >>> - This box is actually used as firewall > >>> - This box is also used as webserver > >>> - This box is finally used as local shared drives via NFS file > >>> but only open to subnetwork through PF > > >> NFS is not designed with security in mind. It transmits data > >> unencrypted. It has no real authentication and no real access > >> control. If is designed for strictly private networks with > >> no external access that no potential attackers have access to. > > > Just to clarify, > > On an OpenBSD list, i am talking about NFS on OpenBSD (-current > and -stable), and that's NFSv3. ;-) > Of course, you are right that i could have mentioned that. > > > NFSv4 does not necessarily transmit data in clear text. > > NFSv4 allows one to use encryption and/or data authentication. > > That doesn't help the original poster because NFSv4 is not > available on OpenBSD. See > > http://marc.info/?l=openbsd-misc&m=123469849717017 > Peter Hessler wrote on Feb 15, 2009: > "openbsd uses nfsv3 over ipv4. > nfsv4 is still being worked on, but is not ready." Well, if NFSv4 is not an option for OpenBSD, then it's clear that NFS on OpenBSD is a very poor choice due to lack of proper authentication and encryption :) > > NFSv3 and older versions do not use encryption at all, > > but you can use IPSec to protect it at the network layer. > > I do not know enough about IPSec to judge whether and under which > conditions it's viable, effective and efficient to secure NFS usage > in an internal network that attackers have access to by using IPSec > between the NFS server and each NFS client. Maybe this could be > an option. Of course if the attacker can gain remote access to the machine, IPSec is not very useful since the attacker can probably retrieve the encryption keys from the kernel :) IPSec is only useful to prevent attacks (replay, sniff, etc.) from the network. Thanks for pointing this out. But even if that's sound, which i neither claim nor deny, it's still > a bad idea to run purely internal services on a firewall, no matter > whether they use encrtption or not. And I totally agree with you, Mixing firewall services with services like Web or file/print services is a recipe for disaster.
Re: System security question
Hi Felipe, Felipe Alfaro Solana wrote on Sat, Feb 28, 2009 at 10:53:50AM +0100: > On Thu, Feb 26, 2009 at 11:13 PM, Ingo Schwarze wrote: >> Jean-Francois wrote on Wed, Feb 25, 2009 at 10:08:22PM +0100: >>> I actually built the following system : >>> - OpenBSD running on a standard AMD platform >>> - This box is actually used as firewall >>> - This box is also used as webserver >>> - This box is finally used as local shared drives via NFS file >>> but only open to subnetwork through PF >> NFS is not designed with security in mind. It transmits data >> unencrypted. It has no real authentication and no real access >> control. If is designed for strictly private networks with >> no external access that no potential attackers have access to. > Just to clarify, On an OpenBSD list, i am talking about NFS on OpenBSD (-current and -stable), and that's NFSv3. ;-) Of course, you are right that i could have mentioned that. > NFSv4 does not necessarily transmit data in clear text. > NFSv4 allows one to use encryption and/or data authentication. That doesn't help the original poster because NFSv4 is not available on OpenBSD. See http://marc.info/?l=openbsd-misc&m=123469849717017 Peter Hessler wrote on Feb 15, 2009: "openbsd uses nfsv3 over ipv4. nfsv4 is still being worked on, but is not ready." > NFSv3 and older versions do not use encryption at all, > but you can use IPSec to protect it at the network layer. I do not know enough about IPSec to judge whether and under which conditions it's viable, effective and efficient to secure NFS usage in an internal network that attackers have access to by using IPSec between the NFS server and each NFS client. Maybe this could be an option. But even if that's sound, which i neither claim nor deny, it's still a bad idea to run purely internal services on a firewall, no matter whether they use encrtption or not. Yours, Ingo
Re: System security question
On Thu, Feb 26, 2009 at 11:13 PM, Ingo Schwarze wrote: > Hi Jean-Francois, > > Jean-Francois wrote on Wed, Feb 25, 2009 at 10:08:22PM +0100: > > > I actually built the following system : > > - OpenBSD running on a standard AMD platform > > - This box is actually used as firewall > > - This box is also used as webserver > > - This box is finally used as local shared drives via NFS file > > but only open to subnetwork through PF > > It's hard to tell what this is supposed to say, but in case you intend > to use the same physical machine as a firewall, as a public webserver > and as a private NFS server, that's almost certainly a very bad idea > and not at all secure. > > Never put your private NFS server on the same host as either your > firewall or your webserver. Never. If you don't own and can't > afford enough hardware to physically seperate the NFS server > from the firewall and the webserver, do not use NFS at all. > If your network is so small that you consider putting everything > on one single server, just use some old 200MHz i386 for the firewall > and some old 500MHz i386 for the NFS server. People will almost > certainly give you such hardware for free, at least in Europe. > That's probably sufficient, and lets you use your shiny new amd64 > box as the webserver. Just to clarify, NFSv4 does not necessarily transmit data in clear text. NFSv4 allows one to use encryption and/or data authentication. NFSv3 and older versions do not use encryption at all, but you can use IPSec to protect it at the network layer. NFS is not designed with security in mind. It transmits data > unencrypted. It has no real authentication and no real access > control. If is designed for strictly private networks with > no external access that no potential attackers have access to. > > If you can afford it, also seperate the webserver from the > firewall. Webservers tend to run lots of crappy software, > and thus, they tend to get hacked. Well, perhaps that's > somewhat mitigated by running the webserver chrooted, but > anyway, it is clearly better to make the firewall a three-leg > router and physically seperate the network segment containing the > webserver (DMZ) and the internal NFS server (private intranet). > > > Assuming that subnetwork computers might be hacked or infected by > > any threat > > You mean, attackers might gain access to either the hardware of > your internal network, or any of the computers in your internal > network might get hacked from the Internet? > > If i understood that correctly, you cannot use NFS at all, > not even on a dedicated server inside your intranet, physically > well seperated from the firewall. There is basically no way to > secure it. > > > Assuming that there is no mistake in PF rules > > Assuming that there is nothing of a third party installed > > on the box (basically it's only a tuned system) > > -> Would you please confirm that hacking is almost impossible ? > > If i understood your setup and threat scenario correctly -- > computers inside your internal network might be compromised, > and you want to run an NFS server inside your internal network -- > then no, that's not secure. Spying out the private data on the > NFS server is trivial and does not even need script kiddie skills. > All the attacker needs to do is: Use an IP number having access > to the NFS server, locally create an account with the UID he is > interested in, mount the NFS volume(s) and read the data. > No hacking is required. This is completely insecure. > > > -> Would you confirm any personnal datas hosted on server are safe > > as long as the (subnet is not compromised by false manipulation > > of course) > > I don't know what you mean by "subnet is not compromised", but > it doesn't matter. If "subnetwork computers might be hacked", > then the data is not at all secure. > > No idea why so many other posters said there's no problem... :-( > > Yours > Ingo > > -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: System security question
Hi All, Thanks to all for your advices. I will think about it and find a way about those things. I was thinking that due to chroot, even apache got into one could not take over the rest. Anyway there are some practices that I did not used but I'm new to those considerations. Thanks, Le jeudi 26 fC)vrier 2009 C 23:13 +0100, Ingo Schwarze a C)crit : > Hi Jean-Francois, > > Jean-Francois wrote on Wed, Feb 25, 2009 at 10:08:22PM +0100: > > > I actually built the following system : > > - OpenBSD running on a standard AMD platform > > - This box is actually used as firewall > > - This box is also used as webserver > > - This box is finally used as local shared drives via NFS file > > but only open to subnetwork through PF > > It's hard to tell what this is supposed to say, but in case you intend > to use the same physical machine as a firewall, as a public webserver > and as a private NFS server, that's almost certainly a very bad idea > and not at all secure. > > Never put your private NFS server on the same host as either your > firewall or your webserver. Never. If you don't own and can't > afford enough hardware to physically seperate the NFS server > from the firewall and the webserver, do not use NFS at all. > If your network is so small that you consider putting everything > on one single server, just use some old 200MHz i386 for the firewall > and some old 500MHz i386 for the NFS server. People will almost > certainly give you such hardware for free, at least in Europe. > That's probably sufficient, and lets you use your shiny new amd64 > box as the webserver. > > NFS is not designed with security in mind. It transmits data > unencrypted. It has no real authentication and no real access > control. If is designed for strictly private networks with > no external access that no potential attackers have access to. > > If you can afford it, also seperate the webserver from the > firewall. Webservers tend to run lots of crappy software, > and thus, they tend to get hacked. Well, perhaps that's > somewhat mitigated by running the webserver chrooted, but > anyway, it is clearly better to make the firewall a three-leg > router and physically seperate the network segment containing the > webserver (DMZ) and the internal NFS server (private intranet). > > > Assuming that subnetwork computers might be hacked or infected by > > any threat > > You mean, attackers might gain access to either the hardware of > your internal network, or any of the computers in your internal > network might get hacked from the Internet? > > If i understood that correctly, you cannot use NFS at all, > not even on a dedicated server inside your intranet, physically > well seperated from the firewall. There is basically no way to > secure it. > > > Assuming that there is no mistake in PF rules > > Assuming that there is nothing of a third party installed > > on the box (basically it's only a tuned system) > > -> Would you please confirm that hacking is almost impossible ? > > If i understood your setup and threat scenario correctly -- > computers inside your internal network might be compromised, > and you want to run an NFS server inside your internal network -- > then no, that's not secure. Spying out the private data on the > NFS server is trivial and does not even need script kiddie skills. > All the attacker needs to do is: Use an IP number having access > to the NFS server, locally create an account with the UID he is > interested in, mount the NFS volume(s) and read the data. > No hacking is required. This is completely insecure. > > > -> Would you confirm any personnal datas hosted on server are safe > > as long as the (subnet is not compromised by false manipulation > > of course) > > I don't know what you mean by "subnet is not compromised", but > it doesn't matter. If "subnetwork computers might be hacked", > then the data is not at all secure. > > No idea why so many other posters said there's no problem... :-( > > Yours > Ingo
Re: System security question
On Wednesday 25 February 2009 22:08:22 Jean-Francois wrote: > Hi All, > Hi, > I actually built the following system : > > - OpenBSD running on a standard AMD platform > - This box is actually used as firewall > - This box is also used as webserver > - This box is finally used as local shared drives via NFS file but only > open to subnetwork through PF > > Assuming that subnetwork computers might be hacked or infected by any > threat > Assuming that there is no mistake in PF rules > Assuming that there is nothing of a third party installed on the box > (basically it's only a tuned system) > > -> Would you please confirm that hacking is almost impossible ? > -> Would you confirm any personnal datas hosted on server are safe as > long as the (subnet is not compromised by false manipulation of course) > If we just look at the design, there is at least one big flaw in the system: you are mixing internal data with external data. If you have a firewall and a webserver running on the same machine, you shouldn't have the shared drives there because in the event of a security breach you are giving information for free to the attacker. Mixing a webserver with a firewall it is also risky, you are again mixing data that might be internal with something that is dealing with external traffic. Again, in the event of a successfull attack, you are giving the webserver away for free to the attacker. It might be that there are no flaws in any of the OpenBSD packages, but can you assure that no user will add something stupid to the webserver? Most attacks come from unexpected vectors, such as wrong validation of data and such. Once somebody detects a flaw in your web pages it is just a matter of time before they manage to sneak into the system. If nothing else, attacks come in majority of cases from the inside, so protecting only one side is not going to help you if somebody from the inside wants to take over. Remember, all you need is a small error in a webpage for somebody to find a way to enter your system. So, in my opinion what you asking us to confirm is not possible to confirm. Specially if you are hosting sensitive material on the server, mixing internal traffic with external traffic is basically a recipe for disaster. Regards -- Carlos Manuel Duclos Vergara http://carlosduclos.blogspot.com
Re: System security question
Hi Jean-Francois, Jean-Francois wrote on Wed, Feb 25, 2009 at 10:08:22PM +0100: > I actually built the following system : > - OpenBSD running on a standard AMD platform > - This box is actually used as firewall > - This box is also used as webserver > - This box is finally used as local shared drives via NFS file > but only open to subnetwork through PF It's hard to tell what this is supposed to say, but in case you intend to use the same physical machine as a firewall, as a public webserver and as a private NFS server, that's almost certainly a very bad idea and not at all secure. Never put your private NFS server on the same host as either your firewall or your webserver. Never. If you don't own and can't afford enough hardware to physically seperate the NFS server from the firewall and the webserver, do not use NFS at all. If your network is so small that you consider putting everything on one single server, just use some old 200MHz i386 for the firewall and some old 500MHz i386 for the NFS server. People will almost certainly give you such hardware for free, at least in Europe. That's probably sufficient, and lets you use your shiny new amd64 box as the webserver. NFS is not designed with security in mind. It transmits data unencrypted. It has no real authentication and no real access control. If is designed for strictly private networks with no external access that no potential attackers have access to. If you can afford it, also seperate the webserver from the firewall. Webservers tend to run lots of crappy software, and thus, they tend to get hacked. Well, perhaps that's somewhat mitigated by running the webserver chrooted, but anyway, it is clearly better to make the firewall a three-leg router and physically seperate the network segment containing the webserver (DMZ) and the internal NFS server (private intranet). > Assuming that subnetwork computers might be hacked or infected by > any threat You mean, attackers might gain access to either the hardware of your internal network, or any of the computers in your internal network might get hacked from the Internet? If i understood that correctly, you cannot use NFS at all, not even on a dedicated server inside your intranet, physically well seperated from the firewall. There is basically no way to secure it. > Assuming that there is no mistake in PF rules > Assuming that there is nothing of a third party installed > on the box (basically it's only a tuned system) > -> Would you please confirm that hacking is almost impossible ? If i understood your setup and threat scenario correctly -- computers inside your internal network might be compromised, and you want to run an NFS server inside your internal network -- then no, that's not secure. Spying out the private data on the NFS server is trivial and does not even need script kiddie skills. All the attacker needs to do is: Use an IP number having access to the NFS server, locally create an account with the UID he is interested in, mount the NFS volume(s) and read the data. No hacking is required. This is completely insecure. > -> Would you confirm any personnal datas hosted on server are safe > as long as the (subnet is not compromised by false manipulation > of course) I don't know what you mean by "subnet is not compromised", but it doesn't matter. If "subnetwork computers might be hacked", then the data is not at all secure. No idea why so many other posters said there's no problem... :-( Yours Ingo
Re: System security question
On Wed, Feb 25, 2009 at 3:08 PM, Jean-Francois wrote: > Hi All, > > I actually built the following system : > > - OpenBSD running on a standard AMD platform > - This box is actually used as firewall > - This box is also used as webserver > - This box is finally used as local shared drives via NFS file but only > open to subnetwork through PF > > Assuming that subnetwork computers might be hacked or infected by any > threat > Assuming that there is no mistake in PF rules > Assuming that there is nothing of a third party installed on the box > (basically it's only a tuned system) > > -> Would you please confirm that hacking is almost impossible ? > -> Would you confirm any personnal datas hosted on server are safe as > long as the (subnet is not compromised by false manipulation of course) > Assuming that your system is secure, then yes, I can confirm that your system is secure. If your real question is, is a properly configured OpenBSD system likely to be somewhat more secure than other systems, most people on the OpenBSD list would probably say probably. But asking about "almost impossible" is asking to be lied to - no responsible security expert would make such a claim. Impossible for whom? The NSA? What are the stakes? If you're talking about Osama's web server, then I expect it would be hacked. The best you can hope for is a high degree of confidence relative to other possible solutions. -gregg
Re: System security question
2009/2/26 Alexander Hall > Jean-Francois wrote: > >> Hi All, >> >> I actually built the following system : >> >> - OpenBSD running on a standard AMD platform >> - This box is actually used as firewall >> - This box is also used as webserver >> - This box is finally used as local shared drives via NFS file but only >> open to subnetwork through PF >> > > You _do_ have the same restrictions in /etc/exports, right? Otherwise > disabling pf (by accident or whatever) would expose your disks to the world. > > Assuming that subnetwork computers might be hacked or infected by any >> threat >> > > That would give them full access to the NFS shares > > Assuming that there is no mistake in PF rules >> > > ... but _if_? ... > > Assuming that there is nothing of a third party installed on the box >> (basically it's only a tuned system) >> > > "tuned" as in services turned on etc, I hope. Not "tuned" as in "tweaked > and unneccesary fiddled with". > > >> -> Would you please confirm that hacking is almost impossible ? >> > > No. > > -> Would you confirm any personnal datas hosted on server are safe as >> long as the (subnet is not compromised by false manipulation of course) >> > > This goes against what you wrote above about subnetwork computers might be > hacked etc, so ... no. > > > # ## # > ## ## # > # ## # > ## ## # > # # > > From what it looks like, I'd say you're safe enough, unless you keep > government secrets on your disks. :-) > > Personally, I'd really recommend having the firewall as firewall/gateway > only and have another computer (or two) for the other services though. > > /Alexander > > > -> Would you please confirm that hacking is almost impossible ? > I will go out on a limb here and say: yes - PROVIDED it is never switched on and it is kept unplugged. Security is a process not a product.
Re: System security question
Jean-Francois wrote: Hi All, I actually built the following system : - OpenBSD running on a standard AMD platform - This box is actually used as firewall - This box is also used as webserver - This box is finally used as local shared drives via NFS file but only open to subnetwork through PF You _do_ have the same restrictions in /etc/exports, right? Otherwise disabling pf (by accident or whatever) would expose your disks to the world. Assuming that subnetwork computers might be hacked or infected by any threat That would give them full access to the NFS shares Assuming that there is no mistake in PF rules ... but _if_? ... Assuming that there is nothing of a third party installed on the box (basically it's only a tuned system) "tuned" as in services turned on etc, I hope. Not "tuned" as in "tweaked and unneccesary fiddled with". -> Would you please confirm that hacking is almost impossible ? No. -> Would you confirm any personnal datas hosted on server are safe as long as the (subnet is not compromised by false manipulation of course) This goes against what you wrote above about subnetwork computers might be hacked etc, so ... no. # ## # ## ## # # ## # ## ## # # # From what it looks like, I'd say you're safe enough, unless you keep government secrets on your disks. :-) Personally, I'd really recommend having the firewall as firewall/gateway only and have another computer (or two) for the other services though. /Alexander
Re: System security question
2009/2/25 Jean-Francois : > -> Would you please confirm that hacking is almost impossible ? > -> Would you confirm any personnal datas hosted on server are safe as > long as the (subnet is not compromised by false manipulation of course) I hate to state the obvious, but no one will be able to give you such assurances outside of a paid for and underwritten insurance policy. Yes, many knowledgeable persons consider OpenBSD to be probably one of the, if not the most secure general purpose operating system. Does that mean that hacking is almost impossible? That's up to you to ensure in your deployment and depends on your definition of "almost impossible". And no sane person would claim that your hosted data was safe. People who make such claims are either overconfident and deluded or lying. And that probably applies to any OS. You want guarantees? Pay for a risk assessment and a broad insurance policy. You want OpenBSD's security profile to become even better than it is today? Hire some of the competent core developers. Other than that, OpenBSD is mostly a volunteer project, and the people who are so kind to freely give the fruits of their labour of love to you and me would be nuts to also --and without compensation-- give you guarantees that might bite them if Murphy's law struck in some weird and (less than) wonderful way. --regards, ropers
Re: System security question
On Wed, Feb 25, 2009 at 10:08 PM, Jean-Francois wrote: > Hi All, > > I actually built the following system : > > - OpenBSD running on a standard AMD platform > - This box is actually used as firewall > - This box is also used as webserver > - This box is finally used as local shared drives via NFS file but only > open to subnetwork through PF > > Assuming that subnetwork computers might be hacked or infected by any > threat > Assuming that there is no mistake in PF rules > Assuming that there is nothing of a third party installed on the box > (basically it's only a tuned system) > > -> Would you please confirm that hacking is almost impossible ? We would never do that. It'd be stupid to think that hacking this machine is almost impossible. There exists no unhackable or unbreakable software, not even OpenBSD. > -> Would you confirm any personnal datas hosted on server are safe as > long as the (subnet is not compromised by false manipulation of course) Never, because you are running a Web server on the machine, and possibly an SSH server and lots of code that might contain security holes. > > > Thanks for care, > JF > -- http://www.felipe-alfaro.org/blog/disclaimer/