Security Basics mailing list archives
RE: Physical vs. Virtual iface device vulnerability
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 1 Jul 2004 13:49:05 -0700
With resolution C, anyone who compromises your mail server gets complete access to your internal network. With resolution A, they get only SQL access to one internal machine. (In theory, resolution A could allow any attacker who spoofs your mail server's address, but in practice it's very hard to abuse this because of TCP handshaking. Far and away, the easiest way to compromise resolution A is to first compromise the mail server, and even then you're mostly protected, unlike resolution C.) David Gillett
-----Original Message----- From: Samuel Moses [mailto:smoses () drjays com] Sent: Wednesday, June 30, 2004 5:30 PM To: security-basics () securityfocus com Subject: Physical vs. Virtual iface device vulnerability Question- If I connect my outside switch to my inside switch and give an outside machine an internal address on a virtual interface, will I be opening network to vulnerabilities differently than if I modified my firewall rules and let the outside connection through? A more in depth description follows. Thank you very much for any information regarding flaws in this logic in advance! Problem- I would like to implement Dspam on my mail server. My mail server resides outside my internal network with its own firewall in place. I have a database server that resides inside my network and would like to use the MySQL installation on that machine for the Dspam installation. Resolution A- Pass through traffic on my openbsd firewall from the external mail server to the internal database server for MySQL connections. This seems error prone. Resolution B- Install MySQL on the mail server locally. This is more maintenance intense as I already have an maintain a tuned DB installation. Resolution C- Connect the external switch to the internal switch and give the mail server an internal ip address and set up connection to MySQL on the inside only. I lean toward Resolution C as it's fairly simple to implement and to me seems best not to open up any database connection to the outside world no matter how restrictive it is. What I don't know, and the reason for this posting is I'm unsure of whether I'm opening my internal network to intrusions due to the fact that I have an external ip and a virtual internal ip on the same nic with the two switches connected. Any input pointing out flaws in this idea are welcome. -sam -------------------------------------------------------------- ------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Physical vs. Virtual iface device vulnerability Samuel Moses (Jul 01)
- Re: Physical vs. Virtual iface device vulnerability Brett (Jul 05)
- RE: Physical vs. Virtual iface device vulnerability David Gillett (Jul 05)