'Re: tis on rh linux 6.1 (NAT versus Proxies)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fwtk-users
Subject:    Re: tis on rh linux 6.1 (NAT versus Proxies)
From:       Bill Kocik <bkocik () velocityhsi ! com>
Date:       2000-03-21 6:20:14
[Download RAW message or body]

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]


> 1) A firewall made of proxies +  packet filtering is the most secure version. \
> However the IP forwarding option must be turned off, right?

For utmost security, yes, it's best to have forwarding turned
off.

> 
> Something is not clear to me... If you use IP Masquerading (i.e. NAT), you need
> to turn on the IP forwarding option, right?
> So, the mere posibility that someone could use your FW as a bridge, it's a tragedy!

Yes, that's true. But in configuring any firewall system one must
find a balance between security and usability that fits their
particular needs. If you need forwarding, you turn it on. If you
can't live with the risk, you don't.

> I understand that if you have an IP network with public addresses and a machine \
> that is acting like a router (i.e. IP forwarding  ON), is the biggest risk.
> However if you're using  IP Masquerading (in Linux), that means you have an \
> internal network, with private addresses, and the FW box maps those addresses...So, \
> * how can anyone use  the firewall as a bridge? *

The one way that immediately pops into my head is by using source
routed frames (which any TCP/IP stack worth it's salt will drop
like a hot rock...heck, even NT does this). There may be other
ways, though, but the fact that I cannot think of more is
irrelevant. By definition, if your firewall is capable of and
willing to pass a packet from one interface to another to
facilitate communication between an external and internal host
(without proxying for it) in either direction, there's a risk.
Even if it's only a theoretical risk, it's a risk. Oh yeah,
another way just came to mind: spoofing. It's simple enough to
guard against this, but it seems every time someone thinks
they've created a secure OS/application/network, someone else
comes along and proves them wrong.

> Maybe this is the point...It doesn't matter if you can make a hell of a packet \
> filter (with spoof protecion), if someone (even in theory) can take advantage of \
> the forwarding option of the firewall , and make the entry in your network...

That's exactly it. I've just never been very good at brevity.

> Maybe someone can make a conclusion out of this...

There are no conclusions, only preludes to further discussions.
> -)

-- 
Bill Kocik
Taos Mountain - "The Sys Admin Company"
Santa Clara, California
http://www.taos.com


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic