Re: Network time protocol

[Frank BENNETT <bennett@example.com>]

On Tue, Sep 19, 2000 at 01:06:26PM +0900, Stephen J. Turnbull wrote:
> >>>>> "FB" == Frank BENNETT <bennett@example.com> writes:

> The latter.  The safest configuration for a firewall is a bastion host
> that communicates only with routers.  The only software that the
> bastion host should run is proxies for passing permissible data from
> inside to outside and vice versa, logging software, and sshd for
> administrators.  All traffic from outside should be routed via the
> bastion host, which passes it back to the inside router.  And vice
> versa.  No routes inside to outside or vice versa that don't pass
> through the bastion host.  The routers shouldn't know about one
> anothers' existence.

I think we have a glimmer of understanding at this end.  This means that in
best practice, a firewall should not do routing itself?  I understand
roughly why doing filtering inside the kernel is risky (because the kernel
controls the world).  What is the problem with permitting the firewall to
serve as gateway on each of two interfaces?  Is it simply that the routers
themselves provide a second line of defense -- an attacker must first breach
the router in order to gain access to the firewall?  I am assuming that the
physical setup looks something like this:

<---Evil Insiders--->Router1<--->Firewall<--->Router2<---Evil Outsiders--->

Router2 is registered on outside hosts as the access point for the Evil
Insiders' domain, but it simply delivers any inbound packets it receives to
Firewall, via a separate interface.  Firewall reads the packet headers for
the type of data, filters, and delivers everything it finds OK to the
interface connected to Router1.  Router1 reads the packet headers and
decides how to route packets to hosts within the Evil Insiders' domain,
again via a separate network interface.  Traffic running the other way
operates similarly.

So an attempt to telnet from EO to EI will succeed transparently, if telnet
packets are passed by Firewall.  But if telnet packets are denied, the
would-be telnet user would have to crack Router2, then crack Firewall,
convince it to pass this type of data (or to run telnet, which presumably is
not installed on the machine), and then request the outside connection to a
host within EI.  She does not need to doctor Router1 in any way, but
cracking Router2 and Firewall is likely to require some time, during which
alarm bells should start ringing somewhere.

Is that right?

Feel free to eject from this discussion by recommending that I
RTFM (with a suggestion of which FM I should R).

Frank "Descript-kiddie" Bennett