Security Basics mailing list archives

Physical vs. Virtual iface device vulnerability

From: "Samuel Moses" <smoses () drjays com>
Date: Wed, 30 Jun 2004 17:30:21 -0700 (PDT)

Question-

If I connect my outside switch to my inside switch and give an outside
machine an internal address on a virtual interface, will I be opening
network to vulnerabilities differently than if I modified my firewall
rules and let the outside connection through?  A more in depth description
follows.  Thank you very much for any information regarding flaws in this
logic in advance!

Problem-
I would like to implement Dspam on my mail server.  My mail server resides
outside my internal network with its own firewall in place.  I have a
database server that resides inside my network and would like to use the
MySQL installation on that machine for the Dspam installation.

Resolution A-
Pass through traffic on my openbsd firewall from the external mail server
to the internal database server for MySQL connections.  This seems error
prone.

Resolution B-
Install MySQL on the mail server locally.  This is more maintenance
intense as I already have an maintain a tuned DB installation.

Resolution C-
Connect the external switch to the internal switch and give the mail
server an internal ip address and set up connection to MySQL on the inside
only.

I lean toward Resolution C as it's fairly simple to implement and to me
seems best not to open up any database connection to the outside world no
matter how restrictive it is.  What I don't know, and the reason for this
posting is I'm unsure of whether I'm opening my internal network to
intrusions due to the fact that I have an external ip and a virtual
internal ip on the same nic with the two switches connected.  Any input
pointing out flaws in this idea are welcome.

-sam





---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Current thread:

Physical vs. Virtual iface device vulnerability Samuel Moses (Jul 01)
- Re: Physical vs. Virtual iface device vulnerability Brett (Jul 05)
- RE: Physical vs. Virtual iface device vulnerability David Gillett (Jul 05)