[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

RE: full solution to the anna univ routing problem (long)

To: ilugc@xxxxxxxxxxxxxxxxxx
Subject: RE: full solution to the anna univ routing problem (long)
From: "Chitoor, Srikrishnan" <krishnan@xxxxxxxx>
Date: Mon, 14 Aug 2000 08:41:52 -0500
Delivered-to: ilug-c-archive@lists.linux-india.org
Reply-to: ilugc@xxxxxxxxxxxxxxxxxx
Sender: ilugc-bounce@xxxxxxxxxxxxxxxxxx

	<snip>

	>a machine with a single ethernet card with two addresses does not
really
	>qualify as a firewall. in this case, there is only a single
physical
	>network which is directly connected to the internet (or the router
that is
	>connecting to the line to the internet) and hence, there is no
outside
	>zone and inside zone - only an outside zone. 

	I agree, but is this network (where you have 2 network cards) more
secure than network I described? In single network card case, we will have

	(a) Router and firewall on one network segment
	(b) Firewall and LAN on other network segment
	(c) Router will route traffic ONLY from firewall (act as a bridge).

	Logically, outside and inside can be described in terms of network
segments here. Is this less secure?

	>as i have hinted at in my
	>footnote to the detailed post, firewalls (single interface or
multiple
	>interface) make little sense in the indian context. most of our
intranets
	>seem to use local/reserved ip addresses and hence are invisible as
far as

	I beg to differ. The notion that we are secure because of private IP
addresses is only partly true. Here is a scenario using which it is possible
to attack private IP network. This scenario does not work with private IP +
firewall.

	(a) Say there is a InetD bug that gives you root access.
	(b) Contact Internet gateway machine (with no firewall), using its
Internet IP address.
	(c) Issue the set of commands that give you root access.
	(d) You are root on gateway machine.
	(e) Now you can access your local LAN as well as server (install a
sniffer if necessary)

	In case of firewall, 

	(a) You cannot even contact the machine (packet denied). 

	Basically, what this says is that application level security is
inherently less secure than packet level security and therefore firewall
does make sense even in Indian context.

	<snip>

---
Visit our home page at: www.chennailug.org
Send e-mail to 'ilugc-request@xxxxxxxxxxxxxxxxxx' with 'unsubscribe' 
in either the subject or the body to unsubscribe from this list.

Follow-Ups:
- RE: full solution to the anna univ routing problem (long)
  - From: Dr. P. Sriram

Prev by Subject: RE: full solution to the anna univ routing problem (long)
Next by Subject: RE: full solution to the anna univ routing problem (long)
Previous by thread: RE: full solution to the anna univ routing problem (long)
Next by thread: RE: full solution to the anna univ routing problem (long)
Index(es):
- Subject
- Thread