Re: oops again
From: Jeff Cochran (jeff.nospam_at_zina.com)
Date: 07/11/04
- Next message: Jeff Cochran: "Re: Default SMTP Virtual Server (IIS)"
- Previous message: Jeff Cochran: "Re: Anyone know of a good book for XP's IIS?"
- In reply to: dawg3294: "Re: oops again"
- Next in thread: dawg3294: "Where is the vulnerability?"
- Reply: dawg3294: "Where is the vulnerability?"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 11 Jul 2004 14:14:03 GMT
>Now, my question is this: Is my webserver inaccessible from the outside if I choose NOT to route 64.2.?.?:80 to 192.168.x.y:80?
No.
>If the answer is that the webserver is NOT accessible, can you tell me if there are any specific security risks in running an intranet from this computer?
Sure. If you don't allow *any* access it's less likely to be
compromised.
Think of it this way: If you leave your car at the mall with the keys
in it and the engine running, it will get stolen. That's like running
an IIS site that is open and has no security updates or protection of
any kind.
If you leave your car at the mall, but lock it and take the keys, it
may still get stolen but the thief would need to bypass a number of
security points to get it. This is a properly secured IIS systm.
If you lock your car in the garage, it's extremely unlikely your car
will get stolen. On the other hand, your friends at the mall will go
to the movie without you.
If you sell your car and give the money to charity, your computer will
never get hacked. :)
Jeff
>
>
>
>
>
>
>"David Wang [Msft]" wrote:
>
>> 192.168.x.y is an unroutable IP. It means machines outside the local subnet
>> cannot reference your machine using that IP because no intervening router
>> will "route" that request.
>>
>> 64.2.x.y is likely your WAN IP of your broadband/modem connection. This is
>> an IP that any machine can reference and is routable.
>>
>> Just because you cannot get http://192.168.x.y/index.html or
>> http://64.2.?.?/index.html to work does not mean that your server is
>> inaccessible from the outside. It only shows that YOU cannot access it from
>> your network client but says nothing about whether the server is actually
>> inaccessible from the outside. Only by knowing how you configured
>> networking from your server on up can you determine this.
>>
>> As for blocking port 80 from the firewall, it depends. Most firewalls
>> prevent outsiders from seeing your machines. They usually do not prevent
>> you from seeing outside machines.
>>
>>
>> This is one possible network configuration --
>> Internet <--> ISP <--> Router (64.2.?.?) (HW Firewall) <--> Your PC, Server,
>> etc on the local network (192.168.x.y)
>>
>> You configure the Firewall on the Router to just block every single port.
>> This blocks anyone from the outside from ever seeing any of your local
>> network but does not prevent your PCs from contacting the Internet.
>>
>> When you want expose the web server on the local network to the internet,
>> you open up port 80 on the Firewall and forward outside traffic to port 80
>> to the internal IP (192.168.x.y) of your web server. To the outside world,
>> 64.2.?.?:80 exists; the router takes care of routing 64.2.?.?:80 requests to
>> 192.168.x.y:80 of your web server, based on your forwarding rule.
>>
>> Now, just because you opened port 80 does NOT mean that it is accessible.
>> Frequently, ISP will block port 80 traffic from the Internet -- so that even
>> though your 64.2.?.?:80 exists, traffic coming from the Internet get dropped
>> if it's for port 80.
>>
>> As you can see, networking is just about names (i.e. protocol, IP, Port,
>> etc) and connections (the wires between all devices, the routers, the PCs,
>> etc). Anything along the connection between the client and server can
>> choose to filter traffic one way or the other (i.e. ISP filtering inbound
>> port 80, your firewall filtering all inbound ports, etc), and the names are
>> important to route requests to/from locations along the connections.
>>
>> I suggest you search for information on basic networking knowledge before
>> attempting what you are trying to do, so that you clearly understand what is
>> going on and the security ramifications.
>>
>> --
>> //David
>> IIS
>> This posting is provided "AS IS" with no warranties, and confers no rights.
>> //
>> "dawg3294" <dawg3294@discussions.microsoft.com> wrote in message
>> news:B705A2BC-9540-4A31-8706-DCE2149283AC@microsoft.com...
>> Sorry for the double postings, I keep hitting my normal "paste" keyboard
>> shortcut, and it seems to post the message. Lemme try again:
>>
>> thanks. That was helpful.
>>
>> You're right, my computer has an ip of 192.168.x.y. I'm new to networking.
>> What is the significance of that number? Does it mean that it is a private
>> ip that is not accessible from the outside? Does it mean that my ip is
>> proxied?
>>
>> When i go to one of those "what is my ip" sites, they say 64.2.?.?
>>
>> When I go home, and try to http://192.168.x.y/index.html or
>> http://64.2.?.?/index.html, it does not work. Is there another way someone
>> can access the server if I can't http to those ips?
>>
>> Also, is blocking port 80 from the firewall a viable option? Will blocking
>> port 80 stop people from seeing in, stop me from seeing out to other sites,
>> or both?
>>
>>
>>
>> "dawg3294" wrote:
>>
>> > thanks. That was helpful.
>> >
>> > You're right, my computer has an ip of 192.168.x.y. I'm new to
>> networking.
>> > What is the significance of that number? Does it mean
>> >
>> > When i go to one of those "what is my ip" sites, they say
>> >
>> > "David Wang [Msft]" wrote:
>> >
>> > > When you install IIS5, it is going to listen on all network interfaces
>> by
>> > > default. I do not know whether your internet access from the test server
>> is
>> > > via direct connection or proxied. If it is direct connection (i.e. the
>> test
>> > > server is connected to the broadband modem), then your test server is
>> live
>> > > on the Internet and is probably already hacked if unpatched. If it is
>> > > proxied (i.e. test server is attached to a hub/switch with an internal
>> IP
>> > > address, and the broadband modem is connected to some other device which
>> > > manages internal/external IP address mapping), then you're probably Ok,
>> but
>> > > you still need to patch the server.
>> > >
>> > > I would seriously consider flattening this server and starting over if
>> you
>> > > suspect anything on the box, to be safe.
>> > >
>> > > Network-based attacks do not need domains -- they need an IP address.
>> > >
>> > > Personally, for testing ASPX pages, there are two approaches.
>> > > 1. Use Cassini, which is a simple-minded ASP.Net web server useful only
>> for
>> > > testing ASP.Net pages. Check out www.asp.net for more info
>> > > 2a. Install the Microsoft Loopback adapter (go to add a new HW Network
>> > > Card, and loopback is one of the choices)
>> > > b. Manually configure the IP of the loopback to a private,
>> non-routable
>> > > address (like 192.168.x.y)
>> > > c. Configure your websites on IIS to only listen on the IP from 2b
>> > > d. (Optionally) configure IP Security in IIS to deny access to all but
>> > > localhost
>> > >
>> > > In both cases, access to the ASPX page is localhost only.
>> > >
>> > > --
>> > > //David
>> > > IIS
>> > > This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>> > > //
>> > > "dawg3294" <dawg3294@discussions.microsoft.com> wrote in message
>> > > news:059FE7FF-F87B-4851-9844-E800A5265D77@microsoft.com...
>> > > I am using IIS 5 to run a test server. (I use it to test my aspx
>> > > pages before uploading them to my real server, which outsiders
>> > > can see. The server that it is on has access to the internet, but
>> > > I have never set the IIS server to allow outsiders to view the
>> > > website.
>> > >
>> > > Is there any way outsiders can access the website/server? I
>> > > would prefer they not be able to. As I understand it, I would
>> > > have to register my domain before IIS hacker vulnerabilities
>> > > become an issue. Or does the fact that my computer has
>> > > internet access make it possible for people/viruses to access
>> > > the server somehow?
>> > >
>> > > Thanks for any enlightenment. I'm new at this. Also, any
>> > > articles you can point me towards for further research would be
>> > > appreciated.
>> > >
>> > >
>> > >
>>
>>
>>
- Next message: Jeff Cochran: "Re: Default SMTP Virtual Server (IIS)"
- Previous message: Jeff Cochran: "Re: Anyone know of a good book for XP's IIS?"
- In reply to: dawg3294: "Re: oops again"
- Next in thread: dawg3294: "Where is the vulnerability?"
- Reply: dawg3294: "Where is the vulnerability?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
