Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Question about dmz security

From: "Burton M. Strauss III" <BStrauss () acm org>
Date: Sat, 15 Feb 2003 07:50:53 -0600
The problem with a multi-homed solution is that if somebody were to
compromise the ftp server, they gain unfirewalled access to your local
network.

How?

Use the compromised ftp to install a telnet server listening on a port
(maybe one that 'calls home' to get through the DMZ firewall instead of a
vanilla telnet, but not difficult).  Now your bad-guy has unfirewalled
access to the LAN.

Easy attack #2 - install a packet sniffer that looks for interesting packets
and periodically emails the sniffs, to some anonymous hotmail account (or
just as a file available for download on the ftp server).

etc.


-----Burton



-----Original Message-----
From: Jennifer Fountain [mailto:JFountain () rbinc com]
Sent: Friday, February 14, 2003 1:42 PM
To: security-basics () securityfocus com
Subject: Question about dmz security



I need an opinion on a current design implementation in place.  We have
an ftp server sitting in our dmz.  This box has two nics - one is
plugged into the dmz hub and one is plugged into our network.  I think
this is a security risk and we should just allow internal users access
to the box via the firewall by opening the port instead of having dual
nics.  they do not see a security risk. maybe i am just too new at this
and need some education.  what is the "best" way to implement this
configuration?


Thank you
Jenn Fountain
Previous By Date Next
Previous By Thread Next

Current thread: