On Thu, 7 Oct 2004 18:07:19 -0500 "Dustin Decker" [email protected] wrote:
One other concern I would have is for vulnerable software. If I have an apache server behind a firewall, and a new vulnerability is discovered, exploitation of it doesn't place my firewall at risk, where as root access gained through [insert hack of the week here] quickly gains the ability to disable iptables entirely. I guess this is one of those rare instances in which I don't entirely agree with Frank. (Oh, and my hang up on "bastion hosts".)
Yup this is spot where we disagree. :)
I can see why you wouldn't want someone to compromise your firewall, but this is of little concern if they have compromised a server behind it.
If I can gain root access to the server running Apache behind the firewall... what excatly is the firewall doing for you then? I've got full access to your "protected" network now...
I will admit you can limit the hosts the webserver can access, etc. but most people setup a firewall as a line in the sand and don't do security like an onion. Break through one layer... several more layers to go.
This is why I prefer using something like iptables. If they can compromise the machine... well that's all they can do. Of course they can turn off iptables and compromise the machine further, but they don't have any special access to the other servers which should keep them out of the others.
--------------------------------- Frank Wiles [email protected] http://www.wiles.org ---------------------------------