Firewall Wizards mailing list archives

Re: websiite log transfers from exposed to internal nets :

From: Richard Threadgill <richardt () midgard net>
Date: Mon, 23 Jun 2003 10:00:22 -0700

In message <F370552B4017D2118B4700A0C9CFE54F019F7462 () exchange vfa com>"Sloane, 
David" writes

Richard,

I thoroughly enjoyed your post - especially the methodology for selecting a
solution.

One question - what brought you to this conclusion?

We want the secure area to connect to the unsecure area.

It has always seemed safer to me to connect from the secure area to the
unsecure.  When the unsecure system is compromised, it has fewer attack
vectors to internal systems.

Can you elaborate on your preference?

-David


Heh, sorry, my bad - that's such a basic rule that I
neglected to provide the explanation and justification.  

Let's start out by dividing our network into two regions - the
'more secure' side and the 'less secure' side.  We'll put our
storehouse of sensitive data on the part of the network that is
'more secure,' since the entire point of this exercise is to
protect it from malicious attack. As a practical matter, the
difference between them is that we have no control over the 
'less secure' region, and we have some control over the 'more 
secure' region.

Now, let's consider the possible effect of a security compromise
in each of these regions on our sensitive data:

        1. The internal, 'more secure' network is compromised, by
        an unknown attacker who may be internal or may be external.
        If my sensitive data is not independently secured, the 
        attacker now has all of the sensitive data they want, and may
        even be able to establish an ongoing update process to constantly
        report changes in the sensitive data. This would be bad, its
        probably one of the things we've been paid to prevent.
        2. The external, 'less secure' network is compromised.
        Because the 'more secure' network is protected from the 'less
        secure' network, the attacker does not yet have the keys to
        the kingdom, and must now do some amount of work to go get
        the sensitive data.  This is good, whatever risks are being
        mitigated by protecting this data are still being mitigated.

Since our job is to protect the sensitive data, we should assume
that the 'less secure' network is *always* compromised. We should
also assume that any host on the less secure network is easier to
compromise, because other compromised hosts have easy, regular
access to not-yet-compromised hosts on the less secure network.
So we're trying to figure out how to reduce the likelihood that the
compromise will spread from the less secure network to the more
secure network.

Now, let us propose that we are producing some interesting 
sensitive data on the 'less secure' network, and we need to 
transport the data to the 'more secure' network, where it will 
be stored indefinitely and analyzed.  In short, one side needs 
to 'trust' a connection from the other side.  So our question 
is 'do I want a host in the more secure region to trust that 
a host in the less secure region has not been compromised?'
Given our assumption that hosts in the less secure region are
either compromised or merely easier to compromise, I want to put as
little trust in them as possible.  My alternative is to put more
trust in the hosts on the 'more secure' side of the network - 
'do I want a host in the less secure region to trust that a host 
in the more secure region has not been compromised?'  That's a
much, much more appealing alternative.

Furthermore, I want to transfer this data in an automated way, so
humans don't have to get involved.  This means that the trust is
unattended and largely unchecked.  This makes this particular
data transfer a 'risky' operation for the trusting host; if the
trusted host has been compromised, they can probably fairly
easily compromise the trusting host.  This means that I do NOT
want the host on the less secure network to be in control of the
connection.  They may perform some operation which requests that
the trusted host on the more secure connection come pick up the
data, but the trusted host still needs to control that
communication.

In short, the secure host should always connect to the insecure
host.

RichardT


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: websiite log transfers from exposed to internal nets : Sloane, David (Jun 23)
- Re: websiite log transfers from exposed to internal nets : Richard Threadgill (Jun 23)
- RE: websiite log transfers from exposed to internal nets : R. DuFresne (Jun 23)