Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

Host based IP ACL like TCPWrapper or IP_Filter, but for NT?
From: "Alan Morewood" <morewood () on bell ca>
Date: Wed, 26 May 1999 13:41:09 -0400 (EDT)
Does anyone have ideas as to a feasible solution for doing IP ACL
restrictions on a DMZ host?  Or does this seem excessive considering
2-factor authentication is to be used.

details as follows:

The network is a traditional DMZ with an external and internal chokes and
numerous bastions style hosts in the middle.  Most of the devices have 2-factor
authentication required for network access to the administrative channels.  The
devices also have Tripwire/swatch or similar host intrusion detection systems.

Traditionally running Unix, these DMZ hosts have had IP access controls
defined on the hosts themselves, and not just at the choke points.

This configuration provides a division of responsibility where both the
choke (firewall) management team and host management team must make a mistake
before accidental exposure is given to a network service on a bastion host.
This also controls interaction between DMZ hosts, helping to prevent all
systems from being compromised once a single system is compromised.

There  is  some  interest  to  move   to  NT,  and  tools  for  2-factor
authentication and host intrusion detection  have been chosen, but there
is some concern regarding IP access restrictions tools.

The IP access controls have taken the form of TCPWrapper, IP_Filter,
and less robust application controls as found in NFS and HTTPD.  But
few NT applications support IP ACL restrictions, and TCPWrapper is not
supported.

   NBT does not have IP ACLs as found in Unix NFS, and it allows all
   those other NBT IPC$ calls.  (Don't currently allow NFS and not
   keen on allowing NBT)

NT has no direct IP_Filter equivalent, although there is at least one option
of which I am aware.

It may be possible to install a component of checkpoint firewall-1 in the IP
stack, and manage the traffic passing into the DMZ host.  This is not like the
traditional functionality of the firewall software as it is not intended to
pass any traffic through the DMZ host. Although the DMZ host does have a front
and back channel, it does not forward packets from one network to the other.

Firewall-1 marketing does not seem to address such a scenario and the pricing
for adding firewall-1 just perform IP ACL and not DoS or VPN seems infeasible.

al

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]