From: Ansgar -59cobalt- Wiechers on 25 Apr 2010 16:38 Sorry about the late response. I had a busy week. Grant Taylor <gtaylor(a)riverviewtech.net> wrote: > Ansgar -59cobalt- Wiechers wrote: >> The only services that come to mind are Remote Desktop and SSH. > > RDP. That's the protocol Remote Desktop uses. So, what about it? >> No, actually we can't agree on that, as it's just plain wrong. Unless >> you are talking about script-kiddy level, spoofing of addresses >> (either IP or MAC) is the most basic of the basics. And in case of >> UDP sending the packet with a fake sender address is all there is to >> it. It's neither difficult nor complex at all. > > I was referring to script-kiddy. > > I'm of the opinion that little will stop a properly motivated skilled > attacker. Script-kiddies are no serious threat to properly maintained systems. It's the determined attackers that you need to defend agains. They are the guys that will cost your business real money. [...] >> On top of being a lot more intelligent at the application layer, SSH >> (unlike SNMP) is also TCP-based. How do you think the compromised >> host is going to receive TCP response packets when they're not going >> back to the attacker's IP address? Unlike UDP, TCP is not stateless. > > The compromised host would need to be in the return path or local LAN > of the spoofed host. TCP is not SMTP. If the compromised host spoofs the source address, the response packets will not go back to the compromised host (unless the attacker gets the switch into hub-mode, which your monitoring should notice). >> Please be more specific about the scenario. By "from the systems >> behind the edge firewall" you mean connections from within some LAN >> (management or whatever) to the servers in the DMZ? What kind of >> connection? Why wouldn't RDP suffice? Why can't the connection be >> tunneled (e.g. with stunnel) in case RDP does not suffice? > > Let's say that it's a routed VLAN that is firewalled and using > globally routable IPs for the servers in said VLAN. (Said another > way, the same broadcast domain.) > > RDP or SSH should suffice for management. But what about some other > service that is used by the server. - I've never messed with it, what > ports need to be open for MS Cluster Server to communicate with each > other? I didn't have to deal with it either, but the fine documentation [1] mentions these: Cluster Services 3343/udp RPC 135/tcp Cluster Administrator 137/udp Randomly allocated ports 1024/udp - 65535/udp 49152/udp - 65535/udp (Server 2008) However, since the cluster nodes need to be able to talk to each other, there's nothing a personal firewall can do about protecting these. >> In a scenario like that: if an attacker can exploit one server, he >> can exploit the other (similar) servers just the same. No need at all >> to take a different route for compromizing them. > > As long as the edge firewall will allow access to the other servers > (not doing some sort of load balancing based on source IP that would > ensure that one IP would talk to one server) sure. > > That is also assuming that all the servers are serving the same > content. That assumption might not be the case for a web farm that > assigns a (vulnerable) web site to some but not all servers. A vulnerable web-site is not the same as a vulnerable service. And although the vulnerability may be exploited to compromise another service or even the system (through SQL injection for instance), this kind of attack can be done from the outside as well. [1] http://support.microsoft.com/kb/832017 Regards Ansgar Wiechers -- "If a software developer ever believes a rootkit is a necessary part of their architecture they should go back and re-architect their solution." --Mark Russinovich
From: Ansgar -59cobalt- Wiechers on 25 Apr 2010 16:42
Grant Taylor <gtaylor(a)riverviewtech.net> wrote: > Here's my colleagues full comment (with permission): > > """Yes, host-based firewalls are necessary to keep the "crunchy > shell/soft-gooey center" phenomenon from happening in a network. It is > about layers. If an attacker gets beyond a border firewall and there > is nothing keeping them from accessing every machine, the network > owner will wish host-based firewalls would have been in place.""" > > Again, I think this is more talking about end user workstations than > servers. But I still think it's a good point. Catchy. However, despite all the catchiness your colleague is still wrong. Sorry to burst your bubble. A locked-down system is far from being "gooey on the inside". And I already outlined a couple reasons why your host-based firewall may not make your system as "crunchy" as you think it does. cu 59cobalt -- "If a software developer ever believes a rootkit is a necessary part of their architecture they should go back and re-architect their solution." --Mark Russinovich |