Hello again,
Last week I posted a query about TIS. Since I did not receive any
responses, I'm going to re-state my question.
We want to protect our DMZ from our internal user community as well
as provide a "third layer of protection" from the users on the internet.
We have:
Internet -- Filter ---DMZ w/ TIS proxy -- Filter --- Internal Net
Router #1 server Router #2
The question boils down to this, does adding a second filtering router
provide any significant protection from crackers on the internet?
Because we are using TIS, the filters from our DMZ to our internal net
are very, very wide. In my eyes, this reduces the effectiveness of the
second filtering router to practically nothing. Although the second
router does protect our DMZ from our internal users quite nicely.
I am assuming that an internet based cr/hacker is somehow able to gain
access to our TIS proxy server. (Yes I know this a big assumption,
but I am doing my best to be paranoid :)) Once that happens, allowing
the proxy server to initiate a TCP connection (w/ port > 1023) to any
one of our TIS clients is a bad thing. If you want to see which ports
I've opened up, please see original email below.
In response, my crime-fighting-partner says, "...you're full of crap...".
Specifically he says:
1. Since, we already have a filtering router and proxy servers,
how can a cr/hacker gain access to our proxy server?
2. So what if the proxy server can create a TCP connetion to
our clients. Unless the clients have an application that is listening
to these high number ports, what's the harm?
So what do all think? Am I being overly paranoid? Is it just about
impossible that a cr/hacker can gain access to our proxy server, by
virute of the fact that it is protected by a filtering router, etc?
Is the second filtering router just protecting our DMZ from our
internal user community and nothing else? Is all this just window
dressing?
Thanks, ericv
----------------------------------------------------------------------------
Original Message:
Hello All,
We are using TIS FTP and Telnet proxy. I've checked with the fwtk users
email list about the TCP port numbers TIS uses. Now I have a question
about how these TCP connections can be exploited.
Thanks in advance, ericv
Here's our network:
The Internet
|
Filtering Router
|
---------------------------------- DMZ
| |
TIS FTP/Telnet Proxy Internal Filtering Router
|
Corporate Network
(unix, pc, mac, etc)
Users on the corporate network use the TIS server on the DMZ. TIS
Telnet has been assigned to destination TCP port number 3200 and TIS
FTP uses TCP port 3300 The TIS proxy server then creates a new TCP
connection from the DMZ back to our TIS clients. The destination
TCP port is < 1023 (TIS uses the same port number as the source
port in the original TCP connection) and the return TCP port is given
to us by portmapper, so it ranges > 29,999.
Here are my questions;
- How large of a hole is it to allow the TIS proxy server to
create a new TCP connection to any internal IP host, using TCP
port < 1023, and a return port < 49999. This filter is placed
on the _Internal_ Filtering router.
- What can be done about this?
BTW, I plan to use port scanner to "harden" my Unix hosts. But I still
worry about PC's, Mac's, NT, other Unix boxes that I don't
administer, etc.
vanuskae @
coho 43:
|
|
