Re: Where to put my multiple servers?????

From: Roland Hall (nobody_at_nowhere)
Date: 05/03/04 

Date: Mon, 3 May 2004 18:03:07 -0500

"Phillip Windell" <@.> wrote in message
news:uiNhCtUMEHA.2716@tk2msftngp13.phx.gbl...
: Well, the question are legit, but a lot of it is already covered by the
: default config of most Firewalls and some are less of an issue in smaller
: systems. Some other things you can decide which way to go after the
"core"
: of the system is in place without having to redesign anything.
:
: I always follow the "keep it simple" idea, so my stuff ends up fairly
secure
: on its own just because there isn't anything there to hack, then I only
have
: to worry about protecting what actually is there.

Phillip...

Please explain to me how a firewall protects against outbound traffic
sending infected email after a user is compromised by a mass-mailing worm or
how a firewall protects against a fragmented overlap attack when it only
looks at the packet header. "Most" firewalls do NOT protect against this
type of attack and host-based IDS and/or content filtering [ISA] is/are then
required, possibly more.

http://ftester.sourceforge.net/ftester.html

Even if the firewall can be configured to only allow certain services, which
is generally the work of a content filter, outbound, unless a MD5 checksum
is used, rogue services using known services will not be stopped. The OP
doesn't need to understand how it can happen, only that it can and that
educating yourself is one of your best defenses against attack.

This article at eEye introduces added security measures of an application
firewall, in addition to firewall and IDS.

http://www.eeye.com/html/Research/Papers/DS20010322.html
Relative context:
Traditional packet-filtering firewalls are able to block packets based on
specific packet characteristics, such as TCP flags, source IP address,
destination IP address, or TCP and UDP ports. They are able to stop packets
that do not meet a certain configurable criteria. Even newer state based
firewalls still only look at packet information contained in the IP, TCP, or
UDP headers. They tend not to look at specific data contained in those
packets beyond the headers, and tend not to discern anything related to a
specific protocol. The other disadvantage of firewalls is that if they are
used to protect public services, by the very nature of the services being
public, they must be allowed access by the Internet at large.

After all, the OP said, "I am figuring that I should have the e-mail server
behind the firewall with ports forwarded for the mail, the same with the
terminal server having 3389 forwarded..."

This may not be deemed necessary when a limited budget is in effect but I
always ask my customers one question when determining how much should be
spent on security.

How long can you be down?

Security issues regarding a single point of presence are not based on the
size of the local network. Cost is a variable for size but the security
implications are the same.

While a VPN is a good idea, it is not a full solution. MSFT found this out
when a remote developer was compromised and opened up a VPN connection to
source code within their network and thus providing a gateway for the
attacker. The security worked as it should but the security model was
broken because the remote user was not protected.

Perhaps it is time for a little studying rather than relying on a false
sense of security due to budget restraints?! 

-- 
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201

Relevant Pages

  • [UNIX] Flood ACK Packets Cause an IBM SecureWay Firewall to Hang
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... SecureWay is a robust Firewall product developed by IBM that works under ... When an all zeroed flags TCP packet is sent to the SecureWay Firewall, ...
    (Securiteam)
  • Re: Best security topology for FreeBSD
    ... stack that just looks at the length header of the packet when getting the ... >SECURITY MODEL IS BLOWN OUT OF THE WATER! ... In a two firewall design, ... only requiring less ...
    (FreeBSD-Security)
  • Re: [fw-wiz] Firewall Primitives
    ... most organizations should not care about packet filtering ... A firewall is present at any boundary between networks with different ... packet filtering firewall. ... A firewall is that part of a security architecture that tries to enforce ...
    (Firewall-Wizards)
  • Core FORCE and OpenBSD PFs
    ... something about the firewall technology of the endpoint security package ... Core FORCE uses a Windows port of OpenBSD's PF ... kernel driver with trimmed functionality (removed NAT, RDR, packet ...
    (Bugtraq)
  • Re: A question about Firewall in XP
    ... With the XP ICF (internet connection firewall) my system is invisible to the ... ICF only protects you from incoming traffic. ... > computer,and their only aim is security from hacking activities?" ...
    (microsoft.public.windowsxp.security_admin)