Re: Physical vs. Virtual iface device vulnerability

[Brett <bretton () gmail com>]

It seems that the implications would be the same as opening ports on
your firewall.  You are just exposing your internal network to other
services it would otherwise be free of.  The risk is really dependent
upon how confident you are that the external server is locked down.

If it is less secure than your firewall, then your internal network as
a whole is less secure.  If you only open 3306 for MySQL, and lock it
to the IP, then you are only exposing potential MySQL vulnerabilities
to one host.  If you put your external server on your internal network
as well, then you are exposing yourself to potential risks for all the
services.

Brett


On Wed, 30 Jun 2004 17:30:21 -0700 (PDT), Samuel Moses
<smoses () drjays com> wrote:
> Question-
>
> If I connect my outside switch to my inside switch and give an outside
> machine an internal address on a virtual interface, will I be opening
> network to vulnerabilities differently than if I modified my firewall
> rules and let the outside connection through?  A more in depth description
> follows.  Thank you very much for any information regarding flaws in this
> logic in advance!
>
> Problem-
> I would like to implement Dspam on my mail server.  My mail server resides
> outside my internal network with its own firewall in place.  I have a
> database server that resides inside my network and would like to use the
> MySQL installation on that machine for the Dspam installation.
>
> Resolution A-
> Pass through traffic on my openbsd firewall from the external mail server
> to the internal database server for MySQL connections.  This seems error
> prone.
>
> Resolution B-
> Install MySQL on the mail server locally.  This is more maintenance
> intense as I already have an maintain a tuned DB installation.
>
> Resolution C-
> Connect the external switch to the internal switch and give the mail
> server an internal ip address and set up connection to MySQL on the inside
> only.
>
> I lean toward Resolution C as it's fairly simple to implement and to me
> seems best not to open up any database connection to the outside world no
> matter how restrictive it is.  What I don't know, and the reason for this
> posting is I'm unsure of whether I'm opening my internal network to
> intrusions due to the fact that I have an external ip and a virtual
> internal ip on the same nic with the two switches connected.  Any input
> pointing out flaws in this idea are welcome.
>
> -sam
>
> ---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> any course! All of our class sizes are guaranteed to be 10 students or less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab. Master the skills
> of an Ethical Hacker to better assess the security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ----------------------------------------------------------------------------

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------