Re: Flat vs Segmented DMZ's

[Mikael Olsson <mikael.olsson () clavister com>]

Dave Piscitello wrote:
> What's the business rationale for segmenting?

Why, reducing exposure, of course, as with any other security measure.

Good example:
- Let's say we have one DMZ.
- This DMZ contains a web server, likely highly susceptible to attack,
    but that doesn't matter, because it's "in the DMZ", right?
- This DMZ also contains a mail gateway with content filtering, set to 
    strip out anything that looks bad, and also to protect the poor
    bloated groupware mail server sitting on the inside.

What happens when the web server gets 0wned?

It is trivial for the attacker to spoof the IP of the mail gateway and:
1. Directly attack the poor exch^H^H^H^Hgroupware mail server on 
   the inside, which now has nothing to protect it
or:
2. Send mail with harmful content straight to all recipients.
   Trojan embedded in an IFRAME set to auto-open, anyone?
or:
3. Attack the mail server in case spoofing is too "hard" 
   (it isn't, but let's assume it is).
   Obviously this attack wouldn't be through port 25, which could just
   as easily be done from the outside. But maybe through a buffer 
   overrun in SSH? (After all, SSH isn't reachable from the outside?)


I don't even need to worry about this attack vector if those two
boxes were sitting in separate DMZs (as in: separate interfaces on
the firewall box), not allowed to communicate with eachother.

Food for thought...
/Mikael

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards