-----BEGIN PGP SIGNED MESSAGE-----
On Tue, 20 Jan 1998, Bernd Eckenfels wrote:
* ->Hello,
* ->
* ->> the only hub in your security it could pose a serious problem). The two hub
* ->> design is stronlg recommended (and with just the above few thoughts I can
* ->> see why) in one of the books that I read (I think it was Building Internet
* ->> Firewalls by Chapman and Zwicky). L8r.
* ->
* ->There is a drawback in the two hub design.. you cant control IP Spoofing on
* ->the second (inner router) very good. Since you dont know if the originator
* ->in the middle interface is from the internet (the outer router) or from any
* ->host on the DMZ. This means DMZ Hosts are able to Fake any outside IP
* ->Address. (and, even worse, sniff the answers. Not that i would recommend any
* ->authentication based on it).
This flaw would be experienced on a single hub setup as well. However,
since the internal hub is set to block UDP (except DNS under very strict
rules) and is set to block all TCP packets with the ACK bit unset for ports
under 1023 (and whatever other ports you wish to apply this rule for) the
crack doesn't have much he can work with. If he can't even establish a TCP
connection to any of the internal machines having control of a system in the
DMZ won't do him any good. He'll essentially be stuck there. Also, the
only way he can probably could've gotten in the DMZ in the first place was
to have cracked one of your services (and that's only able to be done in the
DMZ since and not the internal net because of the <1023 rule). L8r.
- -------------------------------------------------------------------------
Geoff Gowey | NetBSD: the best multi-platform OS
daemond(at)ibm.net | www.netbsd.org
*************************************************************************
My PGP Key is availiable on my home page at: *
www.geocities.com/ResearchTriangle/Lab/6749/ * Key id: 35E887AD
Length: 2048-bit | RSA Encryption | Generation date: January 19th, 1998
=========================================================================
"All I ask is for the chance to prove that money can't buy me happiness"
=========================================================================
Spammers beware: I do not buy from companies that spam and I keep track!
Above policy STRICTLY ENFORCED!
*************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQEVAwUBNMUA1AhkJ2A16IetAQEgHwf+PUgj2yprUr9LXlQUjP3rO+LeiaoXrdL9
e5UJU/3K7mu/XWpI9eOynMQdJlyqk0hvuSUVk06GaMFy5grLOO3dLWdPqKVFN/hA
fpZ1LGx9AbReMOtY/RfdgwiiiB0OfjPRIuOCw01685V8Wg7Cl2exN/19S/r2wBX3
GhM2F5CZUxrTgWgsSC+w8W+eT1BktWQY7rqZQifnFMOYqY0WZt9btSyJUV6QyPhN
ApCQgDJfKXX50dRh3fhNkUJ7RF/6yB3ohXZuJKn/HKuTJdNpNGezWn41YXpbGUsE
I9t/TzQXPfssgfI00wprQQcOh5THWE5RM5rCRNOVtjedxO1+UXfQSA==
=ZqxY
-----END PGP SIGNATURE-----
References:
|
|
