Security Basics mailing list archives
Re: Physical vs. Virtual iface device vulnerability
From: Brett <bretton () gmail com>
Date: Thu, 1 Jul 2004 15:32:22 -0700
It seems that the implications would be the same as opening ports on your firewall. You are just exposing your internal network to other services it would otherwise be free of. The risk is really dependent upon how confident you are that the external server is locked down. If it is less secure than your firewall, then your internal network as a whole is less secure. If you only open 3306 for MySQL, and lock it to the IP, then you are only exposing potential MySQL vulnerabilities to one host. If you put your external server on your internal network as well, then you are exposing yourself to potential risks for all the services. Brett On Wed, 30 Jun 2004 17:30:21 -0700 (PDT), Samuel Moses <smoses () drjays com> wrote:
Question- If I connect my outside switch to my inside switch and give an outside machine an internal address on a virtual interface, will I be opening network to vulnerabilities differently than if I modified my firewall rules and let the outside connection through? A more in depth description follows. Thank you very much for any information regarding flaws in this logic in advance! Problem- I would like to implement Dspam on my mail server. My mail server resides outside my internal network with its own firewall in place. I have a database server that resides inside my network and would like to use the MySQL installation on that machine for the Dspam installation. Resolution A- Pass through traffic on my openbsd firewall from the external mail server to the internal database server for MySQL connections. This seems error prone. Resolution B- Install MySQL on the mail server locally. This is more maintenance intense as I already have an maintain a tuned DB installation. Resolution C- Connect the external switch to the internal switch and give the mail server an internal ip address and set up connection to MySQL on the inside only. I lean toward Resolution C as it's fairly simple to implement and to me seems best not to open up any database connection to the outside world no matter how restrictive it is. What I don't know, and the reason for this posting is I'm unsure of whether I'm opening my internal network to intrusions due to the fact that I have an external ip and a virtual internal ip on the same nic with the two switches connected. Any input pointing out flaws in this idea are welcome. -sam --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
--------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Physical vs. Virtual iface device vulnerability Samuel Moses (Jul 01)
- Re: Physical vs. Virtual iface device vulnerability Brett (Jul 05)
- RE: Physical vs. Virtual iface device vulnerability David Gillett (Jul 05)