Re: DMZ design
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


comp.security.firewalls archive

Re: DMZ design

From: Somebody. <somebody.@spamout.russdoucet.com>
Date: Wed Nov 30 2005 - 18:55:21 CET




"Leythos" <void@nowhere.lan> wrote in message 


news:IUkjf.244394$lI5.78042@tornado.ohiordc.rr.com...


> In article <3v5rhjF13va87U2@individual.net>, usenet-2005


> @planetcobalt.net says...


>> Leythos wrote:


>> > In article <3v40jiF13hjo6U1@individual.net>, 


>> > usenet-2005@planetcobalt.net says...


>> >> Leythos wrote:


>> >>> Port 1433 isn't going to allow access to Enterprise manager, and as


>> >>> long as your DB Server is patched, then allowing 1433 from the DMZ


>> >>> to LAN vial IP:PORT>IP:PORT won't compromise the network.


>> >>


>> >> And with one of the setups I described above, my network wouldn't be


>> >> compromised even *if* the webserver got compromised *and* there was


>> >> an unpatched vulnerability in the DBMS *and* an attacker had a 0-day.


>> >> Defense in depth.


>> >


>> > Wrong - If the database server in DMZ2 is compromised by a 0-Day


>> > exploit, and you've setup replication between the DMZ1 DB server, so


>> > that you have real-time information available, then the same 0-Day


>> > exploit will reach through and compromise that server too.


>>


>> No. Simply because replication and web application use different


>> mechanisms to access the server. Besides, I didn't say anything about


>> real-time replication.


>


> No, you didn't, but lets take an online ordering system, or a project


> management system or anything else that doesn't use a Static DB, and


> then you either punch a hole or setup replication, so you're back to


> having a security issue that you have to deal with one way or another.



Data lives in DMZ1.  Only connection to it is an administrative interface 


like RDP, from the trust zone, and some sort of file transfer method like 


sftp, both initiated from particular trusted, hardened hosts.



Server lives in DMZ 2.  Only connection to DMZ1 is SQL.  Only connection to 


outside is via incoming http.  No connection to trust.



Hacker must compromise web server first using only inline in-line port 80, 


and then inject an in-line SQL compromise to the DB server in DMZ1, which in 


fact has no outbound policies to anywhere, and therefore can only reply to 


SQL sessions initiated from that web server.



-Russ. 


Received on Sat Dec  3 04:18:55 2005