Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Basics: Physical vs. Virtual iface device vulnerability

Physical vs. Virtual iface device vulnerability

From: Samuel Moses <smoses_at_drjays.com>
Date: Wed, 30 Jun 2004 17:30:21 -0700 (PDT)

Question-

If I connect my outside switch to my inside switch and give an outside
machine an internal address on a virtual interface, will I be opening
network to vulnerabilities differently than if I modified my firewall
rules and let the outside connection through? A more in depth description
follows. Thank you very much for any information regarding flaws in this
logic in advance!

Problem-
I would like to implement Dspam on my mail server. My mail server resides
outside my internal network with its own firewall in place. I have a
database server that resides inside my network and would like to use the
MySQL installation on that machine for the Dspam installation.

Resolution A-
Pass through traffic on my openbsd firewall from the external mail server
to the internal database server for MySQL connections. This seems error
prone.

Resolution B-
Install MySQL on the mail server locally. This is more maintenance
intense as I already have an maintain a tuned DB installation.

Resolution C-
Connect the external switch to the internal switch and give the mail
server an internal ip address and set up connection to MySQL on the inside
only.

I lean toward Resolution C as it's fairly simple to implement and to me
seems best not to open up any database connection to the outside world no
matter how restrictive it is. What I don't know, and the reason for this
posting is I'm unsure of whether I'm opening my internal network to
intrusions due to the fact that I have an external ip and a virtual
internal ip on the same nic with the two switches connected. Any input
pointing out flaws in this idea are welcome.

-sam

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
Received on Jul 01 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]