Firewall Wizards mailing list archives
Re: Order of Firewall<->NAT - Summation
From: Paul Armstrong <army () cyber com au>
Date: Thu, 30 Aug 2001 10:39:30 +1000
On Tue, Aug 28, 2001 at 03:13:19PM -0400, Bob wrote:
Rocky Stefano wrote:How would your configuration deal with user installed trojansSecurity is like lasagna - the more layers, the better :-).
But unlike lasagna, if you can afford it, each layer should have a different type of pasta in case one of the types is known to go moudly. ;-)
What if you need to offer a service? I am toying with the idea of putting an NTP server on the NAT machine (anyone know of any exploits I should be concerned about?)
Versions prior to 4.0.99k are vulnerable to a buffer overflow. You can, however, set up NTP to fetch it's time from a server rather than listen on a port.
And it is reasonable to think about a small web server.
Don't allow the use of CGI... And don't forget your friend chroot.
In such a case, all the standard caveats apply. A packet filter won't protect your service, so run a service with a good reputation for security (i.e., nothing from Microsoft) and keep up on the patches. Concider security proxies, if they exist, for the service which would scan for exploits, trojans, etc.
TIS FWTK is a good place to start for these.
You still need an IDSThat would be the job of the <Firewall/bridge>. Since the NAT is acting as a firewall, *ANY* unrequested traffic (not in responce to an outgoing packet) would indicate that the NAT was compromised. And similarly, any suspicious traffic from the LAN would indicate an infested client.
Source routing anyone? Don't trust NAT to filter packets for you. Anyone with half a clue can get around it. Paul. -- Paul Armstrong <army () cyber com au> Cybersource Pty/Ltd. System administration and development. Floor 9 / 140 Queen St. Melbourne. Ph: 9624 5997 Fax: 9642 5998 _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- ISA server versus PIX John Scheidemantel (Aug 26)
- Order of Firewall<->NAT - Summation Bob Washburne (Aug 27)
- RE: Order of Firewall<->NAT - Summation Rocky Stefano (Aug 28)
- Re: Order of Firewall<->NAT - Summation Bob (Aug 29)
- Re: Order of Firewall<->NAT - Summation Paul Armstrong (Aug 31)
- RE: Order of Firewall<->NAT - Summation Rocky Stefano (Aug 28)
- Order of Firewall<->NAT - Summation Bob Washburne (Aug 27)
- Re: ISA server versus PIX R. DuFresne (Aug 31)