Firewalls: Re: is a second filter router worthwhile?

Firewalls
(December 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: is a second filter router worthwhile?
From:	lpierce @ intex . net (S. Lane Pierce)
Date:	Fri, 01 Dec 1995 11:17:01 -0600
To:	Eric Vanuska <vanuskae @ halsp . hitachi . com>, firewalls @ GreatCircle . COM

At 10:14 AM 11/29/95 -0800, Eric Vanuska wrote:
>Hello again,

Hi

>Last week I posted a query about TIS. Since I did not receive any
>responses, I'm going to re-state my question.
>
>We want to protect our DMZ from our internal user community as well
>as provide a "third layer of protection" from the users on the internet. 
>We have:
>     Internet -- Filter ---DMZ w/ TIS proxy -- Filter --- Internal Net
>                Router #1          server     Router #2
>
>The question boils down to this, does adding a second filtering router
>provide any significant protection from crackers on the internet? 

First and formost, it will prevent the cr/hacker from being able to monitor
traffic on the internal net if/when the proxy server is cracked.  Keep in
mind though that any protection you get is what you have programmed your
filters for.

>Because we are using TIS, the filters from our DMZ to our internal net 
>are very, very wide. In my eyes, this reduces the effectiveness of the 
>second filtering router to practically nothing. Although the second 
>router does protect our DMZ from our internal users quite nicely. 
>
>I am assuming that an internet based cr/hacker is somehow able to gain 
>access to our TIS proxy server. (Yes I know this a big assumption, 
>but I am doing my best to be paranoid :)) Once that happens, allowing 
>the proxy server to initiate a TCP connection (w/ port > 1023) to any 
>one of our TIS clients is a bad thing. If you want to see which ports 
>I've opened up, please see original email below.
>
>In response, my crime-fighting-partner says, "...you're full of crap...".
>Specifically he says:
>      1. Since, we already have a filtering router and proxy servers,
>      how can a cr/hacker gain access to our proxy server? 

Tell your crime-fighting-partner to get his head out of the sand.  Are you
running syslog on the proxy server?  Have you made all latest patches to
TIS, the OS, etc...?

>      2. So what if the proxy server can create a TCP connetion to
>      our clients. Unless the clients have an application that is listening
>      to these high number ports, what's the harm?
>
>
>So what do all think? Am I being overly paranoid? Is it just about 
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^
On this list!?  Nah.   ;->


>impossible that a cr/hacker can gain access to our proxy server, by 
>virute of the fact that it is protected by a filtering router, etc? 
>Is the second filtering router just protecting our DMZ from our 
>internal user community and nothing else? Is all this just window
>dressing?
>
>Thanks, ericv

Best of luck to you ericv.

S. Lane Pierce
lpierce @
 intex .
 net

Indexed By Date	Previous:	Re: port number to process id From: Darren Reed <avalon @ coombs . anu . edu . au>
Indexed By Date	Next:	The WinWhatWhere freeware From: degheyndt-solvay @ e-mail . com
Indexed By Thread	Previous:	Re: is a second filter router worthwhile? From: Brain21 <brain21 @ montag33 . residence . gatech . edu>
Indexed By Thread	Next:	Re: is a second filter router worthwhile? From: Rik Harris <Rik . Harris @ fulcrum . com . au>