Security Basics mailing list archives
Physical vs. Virtual iface device vulnerability
From: "Samuel Moses" <smoses () drjays com>
Date: Wed, 30 Jun 2004 17:30:21 -0700 (PDT)
Question- If I connect my outside switch to my inside switch and give an outside machine an internal address on a virtual interface, will I be opening network to vulnerabilities differently than if I modified my firewall rules and let the outside connection through? A more in depth description follows. Thank you very much for any information regarding flaws in this logic in advance! Problem- I would like to implement Dspam on my mail server. My mail server resides outside my internal network with its own firewall in place. I have a database server that resides inside my network and would like to use the MySQL installation on that machine for the Dspam installation. Resolution A- Pass through traffic on my openbsd firewall from the external mail server to the internal database server for MySQL connections. This seems error prone. Resolution B- Install MySQL on the mail server locally. This is more maintenance intense as I already have an maintain a tuned DB installation. Resolution C- Connect the external switch to the internal switch and give the mail server an internal ip address and set up connection to MySQL on the inside only. I lean toward Resolution C as it's fairly simple to implement and to me seems best not to open up any database connection to the outside world no matter how restrictive it is. What I don't know, and the reason for this posting is I'm unsure of whether I'm opening my internal network to intrusions due to the fact that I have an external ip and a virtual internal ip on the same nic with the two switches connected. Any input pointing out flaws in this idea are welcome. -sam --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Physical vs. Virtual iface device vulnerability Samuel Moses (Jul 01)
- Re: Physical vs. Virtual iface device vulnerability Brett (Jul 05)
- RE: Physical vs. Virtual iface device vulnerability David Gillett (Jul 05)