network rearrangement

Gavin

I'll draw a map

router ---> firewall ---> hub ----> office pc's
^
|
crossover cable

This is the actualy physical setup.
What I am going to do is

router ---> switch ---> rest of network ( firewall, office pc's)

Now.. I know that this will actually work, however I don't know how
vulnerable it is. ( the reasons for changing are complicated.. basiclly
i want to know if tcp/ip will be enough to maintain the security )


The network configuration won't be changed in the slightest on any pc
everything will still go to the firewall and then to the router.

I don't think it should make the slightest difference as regards
security.. am i wrong ?


Gav


possile should be on the security board.. will post link there me thinks

Gavin

the fact that it is using private ip addresses and that the subnet should keep any packets within that. Certainly the user could change their IP to a publicly used one
but in this situation, the users can be trusted.

The pc's can send packets to the switch yeah... but they've nowhere to go once they get there.

Aye.. it seems wrong to me too.. but I cant really think of a logical reason as to why.

Gav

apart from as I was just informed 'source routing'.

hudson806

<font face="Verdana, Arial" size="2">Originally posted by Verb:

What I am going to do is

router ---> switch ---> rest of network ( firewall, office pc's)
</font>

As long as you use packet filtering on the router to disallow private IPs from passing in either direction, you should be safe-ish. Buts its pretty easy to make up a set of PF rules that looks good, but isn't, so be careful.

<font face="Verdana, Arial" size="2">
I don't think it should make the slightest difference as regards
security.. am i wrong ?
</font>

I would say the security is lessened with this configuration (Screened Host Architechture) - you are now relying on your router to save you from outside attack. If someone takes the router, your firewall will not protect you as they will have unrestricted access to your LAN anyway. Would it be possible for you to put a router between your firewall and your LAN(Screened Subnet)? At least then, if someone attacks the bastion firewall, your LAN still isn't compromised.

Still it's a decent solution, just not as good as the original one, IMHO

[This message has been edited by hudson806 (edited 13-07-2001).]

[This message has been edited by hudson806 (edited 13-07-2001).]

sutty

Should it not be something like


Internet

---

>Router

---

>Firewall

---

>switch

---

>Network


The firewall box having 2 nic cards, one on compleatly different range then the rest of the network and one on the same as the network. You set the Router to the ip address of the First nic, and use NAT over the firewall and over the router?


or am I just talking out of my ass?

---

Ciaran Sutcliffe
aka: sutty
[HIV]sutty
For a good time goto:
http://www.hotinternetvirgins.com

Gavin

Aye.. I am aware of how it should be setup ideally.

However... Can you give me a specific reason as to why it is more vulnerable in this scenario ? ie if someone gets into the router all they can access is the firewall because of the router configuration ( which they can change admittedly ). But having said that all the internal network is on private ip's. So how can someone that breaches the router access the machines without first compromising the firewall.

I understand that it is possible to packet sniff on a switch via some sort of mac address confusion... is this the only access open to the attacker ?

Gav

hum perhaps this should be in security after all.

hudson806

<font face="Verdana, Arial" size="2">Originally posted by Verb:
if someone gets into the router all they can access is the firewall because of the router configuration ( which they can change admittedly ).[/b]</font>

That's what it comes down to - if they change in the LAN side address to a private one, binge they have the whole network.

<font face="Verdana, Arial" size="2">
I understand that it is possible to packet sniff on a switch via some sort of mac address confusion... is this the only access open to the attacker ?
</font>

Arp Poisoning could be the next step after compromising the router, but just scanning all the obvious subnets would yield the IPs of the computers anyway.

Whatever way you look at it, you have a single point of failure in your network this way - once the router is compromised, its trivial to get everything else.

Victor

<font face="Verdana, Arial" size="2">Originally posted by Verb:
Certainly the user could change their IP to a publicly used one but in this situation, the users can be trusted.</font>

OK, I can only really comment on small LANs, but I presume the above means no one in the office know anything about computers ....

---

Kill, kill, kill the laser mice.

Skeptic1

What I have read is that the firewall should be capable of handling all security - and that is all it should do. That way you confine security issues to one simple machine that is easy to manage. Additional security on PCs and routers etc. is a bonus but not the primary concern. For this reason, a dual homed firewall is necessary somewhere between the lan and the outside world.

Skeptic1

It does not seem right to me. The firewall should be a dual homed machine. What is to stop a workstation PC from sending packets directly to the switch?

ecksor

Um, what's the point of having the Firewall in the new architecture?

I don't see what it can enforce, if it's on the same network segment as the rest of the PCs. What did you have in mind for it?

ecksor

And another follow up ...

I'm not sure I fully understand your diagram. Does that mean that the router is plugged directly into the same switch as the rest of the pcs and firewall? If that's the case, then you can't enforce that all traffic goes through your firewall. Any ACLs you put on the router are the only thing enforcing network policy there. Also, if your single point of failure (the router) is compromised, then the network can be sniffed straight away.

You asked if tcp/ip would be enough to maintain security. Basically no. AS hudson pointed out, you should filter private IP addresses coming in, as well as broadcast addresses. I assume you have some sort of NAT in place to translate them going out?

If the firewall is only providing packet filtering, then the router can probably do that just as effectively. If it's providing proxy based access to the outside world, or offering services that the outside world should be able to access (you said the user machines can masquerade as public IPs if they want) then it should ideally be on it's own network segment. This would let you control how the internal network accesses the firewall (by filtering packets from the inside to your DMZ) and how the outside world accesses it (again, by filtering). If your DMZ machines have to talk to machines on the internal lan, this can be strictly controlled, and in the event of a compromise of this bastion host, the intruder has no obvious way of sniffing all traffic on the internal network, without compromising the router between the DMZ and the internal network.

But, obviously you have to work within the constraints given. Why are you trusting the users internally to connect to the firewall instead of directly to the router? What is the firewall doing exactly?

More information required.

The Cigarette Smoking Man

<font face="Verdana, Arial" size="2">Originally posted by X_OR:
But, obviously you have to work within the constraints given. Why are you trusting the users internally to connect to the firewall instead of directly to the router? What is the firewall doing exactly?</font>

NAT maybe?

What you should do is get a second switch and put it between the router and the Firewall instead of the crossover and if you want PCs outside the firewall plug them into that switch.

Gavin

Thanks for all the replies. The reason I was doing this was because we need to be able to allow certain machines to have straight out access temporarily, for testing etc.

The firewall pretty much acts as a proxy, doing NAT and transparent proxying with squid.

I was more curious as I said above as to how well tcp/ip purely on it's own would be able to enfore security. Just by intelligent subnetting etc.

It completely passed by me that if the router was compromised, the attacker would of course be able to very easily reconfigure the router as pointed out by hudson.

Also the reason we were partially restricted to the above setup was poorly thought out purchasing of network bits and pieces..... Which I don't have control over.

However, things have been rearranged and so now the setup is

router --> hub --> firewall(s) ---> switch --> LAN

Any machine we want to have direct access we put on the hub, everything internal goes from the switch to the firewall and out.

Gav