[prev in list] [next in list] [prev in thread] [next in thread]
List: fwtk-users
Subject: Re: Security question
From: "Jose Luis.Garcia Pacheco" <jgarciay () supelec-rennes ! fr>
Date: 1999-11-22 18:14:26
[Download RAW message or body]
[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]
On Mon, 22 Nov 1999, Sébastien Cottalorda wrote:
sebast > [To be removed from this list send the message "unsubscribe fwtk-users" in the
sebast > BODY of a mail message to majordomo@ex.tis.com.]
sebast >
sebast > Hi,
sebast >
sebast > I'd like to know what is the best configuration for a very secure
sebast > Firewall
sebast > I only need those services :
sebast > FTP internal --> Internet
sebast > HTTP
sebast > SMTP
sebast > POP-3
sebast > SMAP
sebast >
sebast > I/ Proxy server and external network
sebast > Internet
sebast > |
sebast > External Router
sebast > | \
sebast > --------Firewall (FWTK) }-- DMZ Zone
sebast > | /
sebast > Internal Router
sebast > | }
sebast > /--------\ } Internal Network
sebast >
sebast > II/ Proxy server only
sebast >
sebast > Internet
sebast > |
sebast > Firewall (FWTK) Ip Forwarding Disable and minimal services
sebast > |
sebast > /---------\ Internal Network
sebast >
sebast >
sebast > I need to know if the second solution allow sufficent security for the
sebast > services I need.
sebast > If the Firewall is invested, can somebody listen my internal network
sebast > (even if I've disable tcpdump or any other tools like that)?
sebast >
In my opinion, the second architecture is quite reliable. The outer
firewall filter will play the role of a scanning router. The problem as
you have correctly pointed out is that once the firewall is compromised,
the craker has inner network access.
When you say "listening to the network" I think you mean "sniffer": you
have at this moment the same "listening capability" no matter what
inner user has. Nevertheless, if you are root you can always find a way of
perverting you inner network interface in order to hear everything (a
simple C program can do it). However that may call for a C compiler within
the firewall. If you have cleansed it beforewards (as it ought to be done)
you can make his life a little bit more complicated....
jl
sebast > Thanks for your explanation
sebast >
sebast > Sebastien
sebast >
sebast >
========== ____<E-MAILS>_____________________________
Jose Luis Garcia Pacheco | jlgp@jlgarciapacheco.virtualave.net |
| jgarciay@supelec-rennes.fr |
\|||||||/ |___<WEBS>_______________________________|
< o o > | http://jlgarciapacheco.virtualave.net |
\ o / |----------------------------------------|
---oOOo-------oOOo--- | 6, Av. de Belle Fontaine.Logement C-209|
*ETSI. Telecom. Univ | 35510 Cesson-Sevigne. France. |
Politecnica UPM. SPAIN |___<Tf.>________________________________|
*SUPELEC (ISR). FRANCE |(33) [0]2-99-84-47-27 (local: 3209) |
+----------------------------------------+
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic