RE: Physical vs. Virtual iface device vulnerability

["David Gillett" <gillettdavid () fhda edu>]

  With resolution C, anyone who compromises your mail server gets complete
access to your internal network.  With resolution A, they get only SQL
access
to one internal machine.
  (In theory, resolution A could allow any attacker who spoofs your mail
server's address, but in practice it's very hard to abuse this because of
TCP handshaking.  Far and away, the easiest way to compromise resolution
A is to first compromise the mail server, and even then you're mostly
protected, unlike resolution C.)

David Gillett


> -----Original Message-----
> From: Samuel Moses [mailto:smoses () drjays com]
> Sent: Wednesday, June 30, 2004 5:30 PM
> To: security-basics () securityfocus com
> Subject: Physical vs. Virtual iface device vulnerability
>
>
> Question-
>
> If I connect my outside switch to my inside switch and give an outside
> machine an internal address on a virtual interface, will I be opening
> network to vulnerabilities differently than if I modified my firewall
> rules and let the outside connection through?  A more in
> depth description
> follows.  Thank you very much for any information regarding
> flaws in this
> logic in advance!
>
> Problem-
> I would like to implement Dspam on my mail server.  My mail
> server resides
> outside my internal network with its own firewall in place.  I have a
> database server that resides inside my network and would like
> to use the
> MySQL installation on that machine for the Dspam installation.
>
> Resolution A-
> Pass through traffic on my openbsd firewall from the external
> mail server
> to the internal database server for MySQL connections.  This
> seems error
> prone.
>
> Resolution B-
> Install MySQL on the mail server locally.  This is more maintenance
> intense as I already have an maintain a tuned DB installation.
>
> Resolution C-
> Connect the external switch to the internal switch and give the mail
> server an internal ip address and set up connection to MySQL
> on the inside
> only.
>
> I lean toward Resolution C as it's fairly simple to implement
> and to me
> seems best not to open up any database connection to the
> outside world no
> matter how restrictive it is.  What I don't know, and the
> reason for this
> posting is I'm unsure of whether I'm opening my internal network to
> intrusions due to the fact that I have an external ip and a virtual
> internal ip on the same nic with the two switches connected.
> Any input
> pointing out flaws in this idea are welcome.
>
> -sam
>
>
>
>
>
> --------------------------------------------------------------
> -------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and
> get $545 off
> any course! All of our class sizes are guaranteed to be 10
> students or less
> to facilitate one-on-one interaction with one of our expert
> instructors.
> Attend a course taught by an expert instructor with years of
> in-the-field
> pen testing experience in our state of the art hacking lab.
> Master the skills
> of an Ethical Hacker to better assess the security of your
> organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------
> --------------


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------