Security Basics mailing list archives
RE: 192.168.x.x oddities
From: "Keith T. Morgan" <keith.morgan () terradon com>
Date: Wed, 23 Jun 2004 17:01:18 -0400
Being a security-basics list, I feel the need to point something out here. I've forgotten if it was ISS, or IBM, or maybe even Gartner which stated that somewhere near 60 percent of the firewalls deployed are deployed incorrectly. This is highlighted by the topic of conversation below. When configuring firewall rules, it is imperative to lock networks to appropriate interfaces. I believe that most of the "misconfigured" firewalls out there are the ones that fail to do this. Forgive my overly simplistic psuedo-firewall-rules below: Bad config (assuming rules match in order): Allow 192.168.x.x any-destination list-of-ports-and-services Drop-log anywhere anywhere any-ports-services At a glance, this looks safe, because we're using pessimistic security. Drop everything, allow only what we want. But, if someone on the outside manages to generate a packet using our internal IP netblock, it might be possible to get a packet passed from the outside, right on through to the inside. From a pure layer3 standpoint (routing issues aside...) the firewall rules above do nothing to prevent such an attack. A much safer config might be as such: Allow 192.168.x.x any-destination list-of-ports-and-services ORIGINATES-INTERNAL-INTERFACE Drop-log anywhere anywhere any-ports-services any-interface If a firewall is configured to do this, martians appearing with sources in 192.168.x.x coming from an untrusted interface (say, the one pointed at the internet) will just get dropped and logged anyway. Problem solved, no?
Answer to the below is NO. You could change your internal network to 10.x.x.x instead of 192.x.x.x if that makes you feel more secure.
************************************************************************************************** The contents of this email and any attachments are confidential. It is intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies. ** this message has been scanned for viruses, vandals and malicious content ** ************************************************************************************************** --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- RE: 192.168.x.x oddities, (continued)
- RE: 192.168.x.x oddities Nathaniel Hall (Jun 16)
- Re: 192.168.x.x oddities Ranjeet Shetye (Jun 18)
- Re: 192.168.x.x oddities steve (Jun 21)
- RE: 192.168.x.x oddities Burton M. Strauss III (Jun 21)
- RE: 192.168.x.x oddities Shawn Jackson (Jun 16)
- RE: 192.168.x.x oddities Jimmy Brokaw (Jun 21)
- Re: 192.168.x.x oddities steve (Jun 23)
- RE: 192.168.x.x oddities David Gillett (Jun 24)
- RE: 192.168.x.x oddities Jimmy Brokaw (Jun 21)
- RE: 192.168.x.x oddities Nathaniel Hall (Jun 16)
- RE: 192.168.x.x oddities Mike (Jun 17)
- RE: 192.168.x.x oddities Shawn Jackson (Jun 17)
- RE: 192.168.x.x oddities Keith T. Morgan (Jun 24)