Re: Order of Firewall<->NAT - Summation

[Paul Armstrong <army () cyber com au>]

On Tue, Aug 28, 2001 at 03:13:19PM -0400, Bob wrote:
> Rocky Stefano wrote:
> > How would your configuration deal with user installed trojans 
>
> Security is like lasagna - the more layers, the better :-).
 
But unlike lasagna, if you can afford it, each layer should have a different
type of pasta in case one of the types is known to go moudly. ;-)

> What if you need to offer a service?  I am toying with the idea of
> putting an NTP server on the NAT machine (anyone know of any exploits I
> should be concerned about?)  

Versions prior to 4.0.99k are vulnerable to a buffer overflow.
You can, however, set up NTP to fetch it's time from a server rather than listen
on a port.

> And it is reasonable to think about a small web server.

Don't allow the use of CGI...
And don't forget your friend chroot.

> In such a case, all the standard caveats apply.  A packet filter won't
> protect your service, so run a service with a good reputation for
> security (i.e., nothing from Microsoft) and keep up on the patches. 
> Concider security proxies, if they exist, for the service which would
> scan for exploits, trojans, etc.
 
TIS FWTK is a good place to start for these.

> > You still need an IDS
>
> That would be the job of the <Firewall/bridge>.  Since the NAT is acting
> as a firewall, *ANY* unrequested traffic (not in responce to an outgoing
> packet) would indicate that the NAT was compromised.  And similarly, any
> suspicious traffic from the LAN would indicate an infested client.
 
Source routing anyone?
Don't trust NAT to filter packets for you. Anyone with half a clue can get
around it.

Paul.

-- 
Paul Armstrong <army () cyber com au>
Cybersource Pty/Ltd. System administration and development.
Floor 9 / 140 Queen St. Melbourne. Ph: 9624 5997 Fax: 9642 5998
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards