Sorry it has taken a week for me to reply to this, but I for one could not believe I saw mjr's response... IMHO, there are two pieces to this puzzle. The first is the business side, to determine the worth of the data or enterprise. This must be weighed against how much you can spend on security. The business must determine what type of risk it is willing to take in order to do business on the big I. The second part consists of security theory. Defense-in-depth is always greater than a single server. A single server residing on its own, is not a security solution. Other details and tools MUST be included. Such as a competent system admin who maintains the server, loads patches, reads the logs, etc. It does not matter if we are talking about NT or UNIX. There needs to be a security policy in place stating was is permitted or denied. Next we need tools to trouble-shoot whatever may happen, such as sniffers and people who can use them. As far as the lack of firewall if the server itself is as strong as a firewall. I do believe this to be true (unless there was only one server supporting a Mom & Pop organization...). If you have several servers within this DMZ, then you basically have multiple doors to guard against an attack. If we use the analogy of the 1400-1600's, where you have a keep with one door that is barred and defenses, possibly surrounded by a castle, surrounded by the local farms and a small wall, etc. This is defense-in-depth. However, when ever possible the defense tries to limit the egress points to one. The fewer places to defense the more concentration you can hold. If you try to hold a huge perimeter, you will probably fail. In the security realm, we usually use ACLs on our perimeter. Perhaps a sniffer or IDS system on our uplink to the ISP. Then a firewall that we can monitor. Perhaps another NIDS system on the inside to tell if there are any security policies that were broken. Then, you must rely on your host based IDS, system monitoring and the System Admin for each of the servers. There are still more tools that can be used on the server. Tripwire, ESM, vulnerability scanners, and etc should be used. I do not think this is a totally exhaustive list (as training comes to mind). The bottom line is that I do not think anyone could say, that I have a server standing all by itself, and say that have done due diligence to their employer. There are many other questions that must be answered. Jim -----Original Message----- From: Aaron D. Turner [mailto:aturnerat_private] Sent: Monday, February 14, 2000 3:22 PM To: Bruce H. Nearon Cc: firewall-wizardsat_private Subject: Re: mitigating the lack of a firewall Well that depends. Is the site 100% static? If it has cgi's or ASP scripts, those might be exploitable. Does it need to talk to/run a SQL server, dns server, etc? Again, potential expoits. What kind of DoS attacks? Some DoS attacks run very CPU expensive queries which will make your server un-responsive, while others are network based. A firewall isn't likely to stop people from hammering your site, but it can help stop syn attacks. The reality is that a server protected by a firewall is more secure than one not protected. However a firewall isn't the silver bullet that stops all attacks. Wether you need a firewall is dependant on the kind of site, the company, and the purpose. -- Aaron Turner aturnerat_private 650.237.0300 x252 Security Engineer Vicinity Corp. Cell: 408-314-9874 Pager: 650-317-1821 http://www.vicinity.com On Sat, 12 Feb 2000, Bruce H. Nearon wrote: > Suppose an Internet site does not have a firewall. Can a securely > configured IIS 4.0 server running under securely configured NT 4.0 > protect the site from unauthorized access and denial of service attacks? > > Bruce Nearon, CPA > The Cohn Consulting Group > Roseland, New jersey > >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:08:12 PDT