Home page logo

basics logo Security Basics mailing list archives

RE: Question about dmz security
From: "Burton M. Strauss III" <BStrauss () acm org>
Date: Sat, 15 Feb 2003 07:50:53 -0600

The problem with a multi-homed solution is that if somebody were to
compromise the ftp server, they gain unfirewalled access to your local


Use the compromised ftp to install a telnet server listening on a port
(maybe one that 'calls home' to get through the DMZ firewall instead of a
vanilla telnet, but not difficult).  Now your bad-guy has unfirewalled
access to the LAN.

Easy attack #2 - install a packet sniffer that looks for interesting packets
and periodically emails the sniffs, to some anonymous hotmail account (or
just as a file available for download on the ftp server).



-----Original Message-----
From: Jennifer Fountain [mailto:JFountain () rbinc com]
Sent: Friday, February 14, 2003 1:42 PM
To: security-basics () securityfocus com
Subject: Question about dmz security

I need an opinion on a current design implementation in place.  We have
an ftp server sitting in our dmz.  This box has two nics - one is
plugged into the dmz hub and one is plugged into our network.  I think
this is a security risk and we should just allow internal users access
to the box via the firewall by opening the port instead of having dual
nics.  they do not see a security risk. maybe i am just too new at this
and need some education.  what is the "best" way to implement this

Thank you
Jenn Fountain

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]