On 03/12/2013 03:19 AM, Matt Joyce wrote: > Does that apply equally if using properly configured vlan tagging etc?
No. > Of course I'm aware that even with placing some local rules to enforce > it a fully root compromised box would allow them to enable, disable, > change or otherwise play games with your boxes vlan setup as much as > they wanted to. I'm also tend to think when it comes down to that, > firstly it would act to limit the potential attack vectors from the > simply logically separated idea where probably the most basic forms of > attack on a vulnerable PHP/Rails/CGI web application could I suspect be > sufficient to enable manipulation of services accepting broadcast > traffic even while the http daemon and the rest of the system remain > secure and with no more privileges than they were supposed to have. If > manipulating such as vlan tags and/or disabling iptables/selinux or > similar policy enforcement regulating outgoing traffic is required I'd > have thought some form of system wide compromise with privilege > escalation would be a minimum (For the sake of argument assuming that > all internet facing servers have fully dropped root and not merely > switched euid or similar uid=0). > > If I'm right on that part I would personally be inclined to consider > that to be reasonably acceptable especially on a temporary basis, mainly > because to my mind once a hostile agent has successfully managed to gain > root on a local system you have bigger problems than broadcast > disruption to worry about, especially if the compromised machine is one > that is trusted by internal clients to serve content or handle sensitive > data etc which usually be pretty much all of them in my experience often > to the point of seeming irrational. My point about broadcast is simply that it allows for easy discovery of the other IP subnet(s) sharing the LAN (assuming no vlan). This requires that the box be root-compromised, of course. Adding an IP address in the other subnet would then enable direct communication with the hosts in that subnet without any intervening firewall to worry about. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
