On Thu, 15 Feb 1996, Jim Rosenberg wrote:
> > > This PC would be an FTP server and WWW server. This PC would only be
> > > connected to our office network _after_ it had been disconnected from the
> > > ISP connection. Thus, no need for a fire wall. (So we can transfer files
> > > back and forth.)
> >
> > How do you intend to prevent the PC from being connected to the internet
> > and to the internal net at the same time? Physical disconnection? (How
> > do you prevent someone from physically connecting to both nets at once? the
> > two?) Single card? How are you going to prevent interface
> > messups and too much inconvenience from reconfiguring net links?
>
> I'm not an expert on this subject, and probably shouldn't be posting here,
> but am hoping to further frame the questions, since I've also thought about
> this issue.
>
[snip]
>
> So back to the original question. It seems to me the simplest way to deal
> with this issue is using alternate Winsocks. The setup is a little tricky,
> but doable. You have one Winsock that knows how to talk to the internal
> LAN. It is set up for Ethernet (or whatever you're using) and *has no PPP*
> set up. The other Winsock has PPP set up and no Ethernet. I'm pretty sure
> Trumpet can be set up this way, and probably other versions of Winsock too.
> This isn't as safe as physically disconnecting from the Ethernet while talking
> over PPP, but gives a measure of safety that is probably good enough.
>
Good enough for what? An enterprising attacker doesn't need a *winsock* app
to do bad things[tm]. This doesn't address protocol encapsulation attacks,
and if the gateway can be fooled into running with a new winsock in the
path, you'll likely as not know it. Network drivers can be dynamically
loaded, and DLLs are dynamic by nature.
> There is the obvious issue here that you are trusting your PC user not to
> tamper with the dual Winsock setup. But beyond this, can anyone comment on
> any *technical* weaknesses in a dual Winsock approach?
>
1. Winsock isn't necessary to access the network beyond the gateway host.
(WfW, W95, and NT all allow NETBUI encapsulation with the click of a
button)
2. You have no assurance that the second winsock isn't pathed as well.
> > Can time delay attacks be set up on the PC?
>
Only if you don't have a way of isolating the data which comes from the net
from the executables in the PC's environment, or if you execute anything
that comes off the machine. If it's treated as data, then your level of
exposure is equal to the trust placed in the data's validity.
> The multiple Winsock solution obviously doesn't defend against this one.
> The scariest thing about a PC connected to the Net sometimes and one's
> internal net other times is the possibility of a Trojan that will wait til
> it's got a Net connection and then connect to bad guys.
>
Depending on the services on the local network, this is not as high of a
threat IMNSHO, as having a real-time connection to both networks. Hence
the evolution of the firewall. The original poster is definately on a
more secure track with an air-gap, and asks good questions on limiting
the vulnerabilities therein. Anything beyond the original air-gap
solution would lead to an exposure window that I'd not like to be
responsible for. Your Paranoia May Vary.
Paul.
> --
> Jim Rosenberg http://www.well.com/user/jer/
> CIS: 71515,124
> WELL: jer
> Internet: jr @
amanue .
pgh .
net
>
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts @
clark .
net which may have no basis whatsoever in fact."
PSB#9280
References:
|
|
