'Re: Security question'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fwtk-users
Subject:    Re: Security question
From:       "Jose Luis.Garcia Pacheco" <jgarciay () supelec-rennes ! fr>
Date:       1999-11-22 18:14:26
[Download RAW message or body]

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

On Mon, 22 Nov 1999, Sébastien Cottalorda wrote:

sebast > [To be removed from this list send the message "unsubscribe fwtk-users" in the
sebast > BODY of a mail message to majordomo@ex.tis.com.]
sebast > 
sebast > Hi,
sebast > 
sebast > I'd like to know what is the best configuration for a very secure
sebast > Firewall
sebast > I only need those services :
sebast >         FTP         internal --> Internet
sebast >         HTTP
sebast >         SMTP
sebast >         POP-3
sebast >         SMAP
sebast > 
sebast > I/ Proxy server and external network
sebast >     Internet
sebast >         |
sebast >     External Router
sebast >         |                                            \
sebast >         --------Firewall (FWTK)        }--  DMZ Zone
sebast >         |                                            /
sebast >     Internal Router
sebast >         |            }
sebast >     /--------\   } Internal Network
sebast > 
sebast > II/ Proxy server only
sebast > 
sebast >         Internet
sebast >             |
sebast >         Firewall (FWTK)    Ip Forwarding Disable and minimal services
sebast >             |
sebast >         /---------\    Internal Network
sebast > 
sebast > 
sebast > I need to know if the second solution allow sufficent security for the
sebast > services I need.
sebast > If the Firewall is invested, can somebody listen my internal network
sebast > (even if I've disable tcpdump or any other tools like that)?
sebast > 

In my opinion, the second architecture is quite reliable. The outer
firewall filter will play the role of a scanning router. The problem as
you have correctly pointed out is that once the firewall is compromised,
the craker has inner network access.

When you say "listening to the network" I think you mean "sniffer": you
have at this moment the same "listening capability"  no matter what
inner user has. Nevertheless, if you are root you can always find a way of
perverting you inner network interface in order to hear everything (a
simple C program can do it). However that may call for a C compiler within
the firewall. If you have cleansed it beforewards (as it ought to be done)
you can make his life a little bit more complicated....

jl

sebast > Thanks for your explanation
sebast > 
sebast > Sebastien
sebast > 
sebast > 

==========               ____<E-MAILS>_____________________________
Jose Luis Garcia Pacheco |  jlgp@jlgarciapacheco.virtualave.net   | 
                         |           jgarciay@supelec-rennes.fr   | 
       \|||||||/         |___<WEBS>_______________________________|
       < o   o >         | http://jlgarciapacheco.virtualave.net  |
        \  o  /          |----------------------------------------| 
 ---oOOo-------oOOo---   | 6, Av. de Belle Fontaine.Logement C-209|
*ETSI. Telecom. Univ     | 35510 Cesson-Sevigne. France.          |
 Politecnica UPM. SPAIN  |___<Tf.>________________________________|
*SUPELEC (ISR). FRANCE   |(33) [0]2-99-84-47-27 (local: 3209)     |
                         +----------------------------------------+

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic