Port Forwarding vs. Running Servers on Firewall

CLIFFORD ILKAY clifford_ilkay-biY6FKoJMRdBDgjK7y7TUQ at public.gmane.org
Thu Sep 4 20:30:05 UTC 2003 

At 03:18 PM 04/09/2003 -0400, Joe Hill wrote:
>On Thu, 04 Sep 2003 14:55:32 -0400
>CLIFFORD ILKAY <clifford_ilkay-biY6FKoJMRdBDgjK7y7TUQ at public.gmane.org> uttered:
>
> > Is it just that if the firewall is compromised, the bad guy still
> > has to crack the machine on the inside or is there something I am
> > missing?
>
>AFAIK, if the firewall is compromised, the "hacker" would still have to
>get root access on the hosts to do any real damage, but it would still
>be a Very Bad Thing.

I think you are alluding to what I said in my original message, that 
separating the services from the firewall is a layered approach to 
security. Perhaps another reason is that firewalls and servers may be on 
different upgrade cycles.

>It is *always* best to run *any* service behind a firewall that you want
>protected, particularly a firewall that does inspection of incoming and
>outgoing packets for things like spoofing, "man in the middle" attacks,
>syn floods (duh), etc. and yes, the fewer services open on the firewall
>the better.

Let us take a concrete example. Say we have Apache running on a host 
(192.168.0.10) on the LAN that must be accessible from the whole world. Our 
firewall and gateway, 192.168.0.1 on the inside interface, and 
123.123.123.123 (any resemblance to a real host is coincidental) on the 
outside interface, has to forward all requests to 123.123.123.123:80 to 
192.168.0.10:80 and send the packets from 192.168.0.10 back out through 
123.123.123.123 via 192.168.0.1. Packets are going to be inspected and all 
that good stuff on the firewall. What difference does it make if the Apache 
daemon is running on the firewall or on 192.168.0.10?

>The thing about a firewall is that the hosts behind it are (or are
>supposed to be) invisible, since their IPs are private and cannot be
>seen from the WAN, ie. 192.168.0.x.

If port 80 on the firewall is forwarded to a host with a private IP on the 
LAN, it can be seen from the WAN. That is whole point of port forwarding, 
is it not?

>You want a firewall that does port forwarding, network address
>translation, and stateful traffic inspection (IIRC).

Right, but that does not address the question of why it is good practice to 
run only firewall and routing services on the firewall instead of running 
httpd, etc. Running a bunch of services on the firewall does not preclude 
one from having all that good stuff you listed.

>If you have a spare box around there are several easy sol'ns, like
>ClarkConnect, BBIAgent (runs off a floppy) or Smoothwall.

ClarkConnect, like Mitel SME Server (formerly known as e-smith), runs 
services like pop, imap, smb, netatalk, http on the firewall. I do not know 
anything about BBIAgent but being floppy based, it probably is very lean 
and mean. I know SmoothWall does strictly firewalling and routing.

Regards,

Clifford Ilkay
Dinamis Corporation
3266 Yonge Street, Suite 1419
Toronto, Ontario
Canada M4N 3P6

Tel: 416-410-3326

mailto:clifford_ilkay-biY6FKoJMRdBDgjK7y7TUQ at public.gmane.org 

--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list