In message <9504248013 .
AA801334429 @
smtpgwy .
agric .
nsw .
gov .
au>, Neal Sievwright writes:
We currently have a screened host gateway using a Cisco router and a
solaris based bastion host. Access is currently limited to mail, ftp,
and telnet, and is maintained by the router.
What security implications will I have if I allow URL access both
through the router or via a proxy server running on the DMZ portion of
the network ? Also what form should the permission string be in the
config of the router (ie what port, type of ip port) ?
I assume that your setup is something like this:
< DMZ NET > +------------------+
INET <----> [XXX] -------+------- | screening router |-------+---------
| +------------------+ |
+----------+ +-------------+
| DMZ host | | Solaris box |
+----------+ +-------------+
I could be mistaken, so please correct me if I did not understand you.
(BTW, ``bastion host'' as defined by Cheswick and Bellovin, means
exposed gateway machines, whereas I think in your scenario the Solaris
box is screened by the router.)
Any time you let unauthenticated data through your security barrier
(which in this case appears to be your router), you have a potential
for security violations. It does not matter whether this data is
email over SMTP or HTML requests over HTTP. The security of your site
is then based on the security of the program accepting the data from
the network.
To answer your specific question, if you want to allow people inside
your site access to resources on the Internet, it is generally
considered that this is fairly safe--or at least the lost convenience
is worse than the potential problems (and there have been specific
problems in the past (e.g. telnet URLs containing shell commands)).
If, however, you are talking about running an HTTP server on the
Solaris box, then people also do this, but it can be made more secure
through a number of mechanisms (e.g. chroot the server, run with a
non-privledged UID, etc). Many people feel instead that it is more
secure to run the HTTP server out in the DMZ so that any potential
compromises in the WWW daemon will not effect the security of your
corporate network.
I would not care to make any router config recommendations without
confirmation on some of my above assumptions.
Also what does TACACS allow me to set up in addition to the services I
can currently provide ?
Not much. TACACS is typically used to protect the router/terminal
server. It could, theoretically, be used as a proxy telnet server,
but it has several limitations (one, for example, is that it *only*
supports telnet).
----
Seth Robertson voice: +1 800 SOS UNIX +1 212 686 5700
SOS Corporation fax: +1 212 686 5703
461 5th Avenue, 16th floor email: seth @
soscorp .
com
New York, NY 10017 http://www.soscorp.com/
References:
|
|
