Port Forwarding vs. Running Servers on Firewall

[Fraser Campbell]

On Thursday 04 September 2003 14:55, CLIFFORD ILKAY wrote:

> network. Setting aside the DMZ issue for the time being, what, if any,
> advantage is there to running these services on machines behind the
> firewall? Is it just that if the firewall is compromised, the bad guy still
> has to crack the machine on the inside or is there something I am missing?

If the firewall is compromised (let's assume root compromise) then the cracker 
has full access to your entire internal network, to the Internet from your 
firewall and to the dmz (if any).  He can cover his tracks and spend days, 
weeks or months on the firewall gathering passwords, learning about your 
network, etc.

If a webserver is comprosed, and you've been smart enough to install it in a 
DMZ then the cracker has a much smaller and (probably) less interesting 
network to probe.  If the DMZ is switched then he'll not learn very much 
beyond the tasks that involve that webserver.  He might be able to launch 
attacks against other machines in the DMZ but hopefully you've hardened those 
sufficiently to make that difficult.  Very restrictive firewall rules should 
be able to make the webserver an uninteresting place for a cracker as well. A 
webserver machine for example could be configured so that it can only respond 
to inbound http requests, the cracker couldn't initiate any outbound 
connections (to the Internet) period.

-- 
Fraser Campbell <fraser-Txk5XLRqZ6CsTnJN9+BGXg at public.gmane.org>                 http://www.wehave.net/
Halton Hills, Ontario, Canada                       Debian GNU/Linux

--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml