>
>
> >>>>> On Thu, 30 Sep 1993 10:51:14 -0700, Brent Chapman <brent @
GreatCircle .
COM> said:
>
> brent> Rens Troost <rens @
stimpys .
IMSI .
COM> writes:
>
> rens> Remember, if your security relies on source information,
> rens> then it's not security.
>
> brent> Bullshit.
>
> !?
>
> brent> It may not be perfect, but it _is_ security. It
> brent> limits the class of attackers to those capable of faking IP
> brent> packets. That's still a large class, but it's a whole lot
> brent> smaller than the class of all attackers.
>
> I guess. I would hazard to guess that the class of attacker who is
> capable of exploiting nfs and yp holes is also capable of spoofing a
> source address. As you say, a large class. No thanks.
So you don't filter on source address for packets going *into* your DMZ
or packets from the DMZ to your `protected' net (if you don't trust your
DMZ).
But what about packets going *out* of the DMZ, back onto the Internet ?
If a cracker can get access to a host inside the DMZ, then it is
probably safe to assume that trusting packets based on source or
destination from it back to your internal networks makes no difference.
In the case of archie, does anyone see any posibility of writing a
proxy server which binds to a set port in the DMZ and talks to remote
archie servers on behalf of internal machines ? This may not be
possible (I haven't looked at the protocol used) if separate packets
cannot be demultiplexed over the same port pair to archie. If this was
the case, it should be trivial to implement a "one-at-a-time" proxy
server to run on the DMZ host.
Darren
|
|
