firewalls and webservers request for comments
Frank Wiles
frank at wiles.org
Fri Oct 8 08:58:00 CDT 2004
On Thu, 7 Oct 2004 18:07:19 -0500
"Dustin Decker" <dustin.decker at 1on1security.com> wrote:
> One other concern I would have is for vulnerable software. If I have
> an apache server behind a firewall, and a new vulnerability is
> discovered, exploitation of it doesn't place my firewall at risk,
> where as root access gained through [insert hack of the week here]
> quickly gains the ability to disable iptables entirely. I guess this
> is one of those rare instances in which I don't entirely agree with
> Frank. (Oh, and my hang up on "bastion hosts".)
Yup this is spot where we disagree. :)
I can see why you wouldn't want someone to compromise your
firewall, but this is of little concern if they have compromised
a server behind it.
If I can gain root access to the server running Apache behind the
firewall... what excatly is the firewall doing for you then? I've
got full access to your "protected" network now...
I will admit you can limit the hosts the webserver can access, etc.
but most people setup a firewall as a line in the sand and don't do
security like an onion. Break through one layer... several more
layers to go.
This is why I prefer using something like iptables. If they can
compromise the machine... well that's all they can do. Of course
they can turn off iptables and compromise the machine further, but
they don't have any special access to the other servers which should
keep them out of the others.
---------------------------------
Frank Wiles <frank at wiles.org>
http://www.wiles.org
---------------------------------
More information about the Kclug
mailing list