--
Excerpts follow
--
From: de Cuzey <phid_at_nea.fr>
Mr. Jolt Cola wrote:
>
> Cisco's sales reps (not necessarily expert) say if I run the web server
> inside the firewall then I cannot allow access to it from outside without
> opening the whole server up to attack? How is this? The protection is
> by IP only then? I was thinking there should be some port level control.
>
they're right. There are port level control, but that's not the point.
What you need to implement is a bastion host, that would be on the
internet.
All your other machines will be on a protected subnet, and only
communications
from the protected LAN to the internet will be allowed (never in the
other way,
except for mandatory services like incoming mail... )
> Also, assume I move the web server outside the firewall and have it
> access a database inside the firewall, then I assume if the server
> outside the firewall is hacked, then the initial entry is gained.
> Is this correct? Even so, it would probably be better than no firewall
> at all.
>
no, unless the protocol used between the server and the initial entry is
weak (or rather
its implementation). Ex: in the past, a bug in sendmail was responsible
for a lot of intrusions because it allowed an escape to the shell and
was run as root.
In your case, either you put a copy of your databases on the server, and
then it's
isolated, either you put a SQL*Net proxy and the data are not
duplicated, or even
you have snapshots on the server, automatically updated through your
SQL*Net proxy.
Regards
Philippe
--
=========================================================
O.E.C.D. Nuclear Energy Agency
P. de Cuzey phid_at_nea.fr
=========================================================
From: BigRedDog <ckrieger_at_latrade.com>
On Mon, 9 Sep 1996, Mr. Jolt Cola wrote:
My experience with firewalls is not extensive, so I suggest you take what
I say with a grain of salt. There are a lot of things you can do to make
you site more secure. First you can set up filtering on your router.
This will affect the performance of the router, but most good routers can
handle a few filters. You have several options here. If you just do
filtering (a bad idea) you then allow all the packets on your network
out, but allow only packets to come in to certain machines and ports.
Make sure that you enable DNS. The Cisco manuals have a good explanation
of what is involved for thier routers. Now is also the time to disable
source routeing. For Ciscos I think the command is "no ip source route".
Perhaps sourceroute is one word.
The next thing to think about, though not in your case, is tcp wrappers.
This is basicly a program that will execute another program prior to
starting any service in inetd.conf. It also has features that let you
restrict what hosts are allowed to connect. Since you want to do a web
server, you probably aren't interested in limiting access to it. But,
tcp wrappers might be a good idea for all the other services like ftp and
telnet.
Now we can talk about firewalls. I have used TIS FireWall Tool Kit
(fwtk) at two jobs now. My corrent site has it running on a DEC Ultrix
box. The previous one had it running on an HP. It seems to work well.
It is also free.
To my way of thinking I would try a setup sorta like this:
---------Internet---------------
|
|
router1
|
|
firewall
|
|
router2
|
|
------------Office lan-----------
Have all service except dns, http, and mail disabled for packets coming
in from the internet. Next, have filtering enabled on router2 such that
the firewall host can only initiate connections into the office lan to
reach at most three machines: the DNS server, the mail server, and the
database server. Ensure that you have the latest patches for all you
mail programs. The firewall will also have to be a dns server. I would
write a custom application that uses a seperate port for your database
application. Make sure that these are the only ports and hosts that can
originate on the firewall and go to the office lan. This is where
filtering shows its stuff.
I am not an expert at this, but I suspect a setup like this would stop
all but the most experienced hackers. I encourage you to get some good
books on the subject, and perhaps talk to an expert. The people at TIS
do offer a comercial product as well as consulting support. Use my ideas
at your own risk, and certainly not without further research.
-cliff
From: Alan Cox <coxa_at_cableol.net>
> I'm looking at Digital UNIX Firewalling software as well as Cisco's
> PIX firewall embedded kernel box. Perhaps some of you experts can
The PIX can do this, and it seems a very good box. The PIX we have appears
incapable of handling identd (it will neither abort or allow sessions), that
causes identd to hang. For any kind of outgoing use from the machine that
will be a big issue.
> ideas but what about allowing a single protocol access while
> restricting others? Also, is anyone experienced with other solutions
Thats fairly typical.
> such as Linux's firewall software. I realize this is offtopic but
> it certainly falls under system management.
It will do what you want. Irrespective of what you want to get make sure
you get the thing set up right, thats the critical bit.
> Cisco's sales reps (not necessarily expert) say if I run the web server
> inside the firewall then I cannot allow access to it from outside without
> opening the whole server up to attack? How is this? The protection is
> by IP only then? I was thinking there should be some port level control.
There is and the PIX can do that. However its possible to break a web
server in theory, and trick a cgi-bin script into giving you a shell on
port 80. At that point you lose (obviously). Make sure you have source
to all your cgi stuff and have inspected it.
> access a database inside the firewall, then I assume if the server
> outside the firewall is hacked, then the initial entry is gained.
> Is this correct? Even so, it would probably be better than no firewall
> at all.
If your database link is well written then the worst someone should be able
to do is query the database directly. Thats a tiny piece of code you
should be able to very tightly audit.
Alan
From: Roger Joss <giarjo_at_gia.ch>
Mr. Jolt Cola wrote:
>
> Hi fellow overworked,
>
> I'm interested in what sort of setup any of you are running
> containing Internet services such as WWW along with valuable
> databases (ORACLE) and how some of you other guys are protecting
> your networks and hosts.
>
> We have a WWW system which interfaces to ORACLE via cgi, running
> Netscape secure server. I would like to make the Web interface
> accessible to the outside world but would like to protect the
> host(s) from external attack otherwise.
>
> I'm looking at Digital UNIX Firewalling software as well as Cisco's
> PIX firewall embedded kernel box. Perhaps some of you experts can
> explain just WHAT a good firewall is capable of doing. I have basic
> ideas but what about allowing a single protocol access while
> restricting others? Also, is anyone experienced with other solutions
> such as Linux's firewall software. I realize this is offtopic but
> it certainly falls under system management.
>
> Cisco's sales reps (not necessarily expert) say if I run the web server
> inside the firewall then I cannot allow access to it from outside without
> opening the whole server up to attack? How is this? The protection is
> by IP only then? I was thinking there should be some port level control.
>
> Also, assume I move the web server outside the firewall and have it
> access a database inside the firewall, then I assume if the server
> outside the firewall is hacked, then the initial entry is gained.
> Is this correct? Even so, it would probably be better than no firewall
> at all.
>
> Thanks, will summarize. Any info is better than none at all. :)
>
> Melvin Smith
Hi,
Since Firewalling is a huge topic you should take a look at the
appropriate firewall list.
Send e-mail to majordomo_at_greatcircle.com with
subscribe firewall-digest in the body
or
consider ftp://ftp.greatcircle.com/pub/firewalls/FAQ
Regards Roger
From: George Livsey <george_at_opic.net>
I would suggest a DOD approved solutions such as The Security Router
by Network Systems Corporation.
See:
http://www.network.com
From: "G. Del Merritt" <del_at_intranet.com>
In-reply-to: "msmith_at_quix.robins.af.mil"'s message of 9-SEP-1996 18:45:01.56
>I'm interested in what sort of setup any of you are running
>containing Internet services such as WWW along with valuable
>databases (ORACLE) and how some of you other guys are protecting
>your networks and hosts.
The official firewalls FAQ is on http://www.v-one.com/pubs.
>I'm looking at Digital UNIX Firewalling software as well as Cisco's
We're going to go with DEC's SEAL. We're paranoid. We'll also have our
routers as part of the firewall, since The Firewall(tm) isn't usually any
single box; it's the complete defense. You should (as the FAQ will suggest)
pick up and ingest either or both of:
Firewalls and Internet Security: Repelling the Wily Hacker;
Cheswick & Bellovin (Addison-Wesley), ISBN 0-201-63357-4.
Building Internet Firewalls; Chapman & Zwicky (O'Reilly & Assoc.),
ISBN 1-56592-124-0
Also consider subscribing to the firewalls mailing list and _review_ the
archives (see the FAQ).
>restricting others? Also, is anyone experienced with other solutions
>such as Linux's firewall software. I realize this is offtopic but
>it certainly falls under system management.
The standard trade-off applies; you have the choice of any two of the
following three: fast, good, and cheap.
Seriously, the initial cost of almost any current solution will pale in
comparison with the cost (in terms of a human being) of maintaining it and
reviewing the logging. You can do quite well with a Linux box, or, probably,
TIS's "freeware" firewall build on your OSF/DU system.
>Cisco's sales reps (not necessarily expert) say if I run the web server
>inside the firewall then I cannot allow access to it from outside without
>opening the whole server up to attack? How is this? The protection is
>by IP only then? I was thinking there should be some port level control.
In the general case, the cisco [sic] person is correct. Unless there have
been recent changes, Oracle can/does listen on random ports. Even if you wrap
this in CGI, with no external connection, a server can still be attacked. Be
that as it may, you might consider any number of "simple" servers for this
purpose.
>Also, assume I move the web server outside the firewall and have it
>access a database inside the firewall, then I assume if the server
>outside the firewall is hacked, then the initial entry is gained.
>Is this correct? Even so, it would probably be better than no firewall
>at all.
Ayup. You might consider replicating the database on the outside via a
"one-way" link to your inside. If the outside gets hacked, it will get
"refreshed" later that day. You haven't specified just what this database
needs to do/support, so this may be simplistic.
Good luck.
--
Del Merritt, <a href=http://www.intranet.com/~del >**</a> del_at_IntraNet.com
IntraNet, Inc., One Gateway Center #700, Newton, MA 02158
Voice: 617-527-7020; FAX: 617-527-1761 Just say no to Clipper.
You may not add me to a commercial mailing list or send me commercial
advertising without my consent.
Received on Tue Sep 10 1996 - 22:44:56 NZST
This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:47 NZDT