[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [RRG] Renumbering... ACL alternatives?
On Sat, 16 Aug 2008, Tony Li wrote:
|Exactly, I fully agree. The next question is whether the practice of
|configuring remote addresses in filtering devices is common. I hope
|it's not. Does anyone on this list have experience or data on this?
Unfortunately, the practice of putting remote addresses into firewall ACLs
is all too common. Of course, there's a name we have for sites that do
this: pwned.
That said, this is such a colossaly bad practice, that I would have no
trouble supporting architectures that forced people to rethink this.
The alternative(s) being...?
This practise stems from various needs and requirements, some of which
seem legitimate to me. If we deny them as "bad practise", we'll
likely end up with a solution that doesn't meet real-world
requirements.
My take on some of the variables here:
- an application running between 2..N sites over the Internet
- using a) a fixed port, b) pretty much random ports
- host system can be trusted (strongly secured, and/or has
reliable host firewall) or not trusted
- defence in depth required vs not required
In some cases, opening port 80 or all ports to the whole Internet in a
border firewall is frowned upon. So you want to filter based on
addresses or prefixes of the sites who may legitimately use the
service, and require some other form of authentication on the system
itself (e.g. user auth or certificates).
Alternatives?
- Deploying the application using certificates and TLS. But then if
you would open the service to the whole world, you would be open to
basic-level exploits (e.g. in TLS processing) and DoS attacks from
everywhere. Some accept this risk, some others don't.
- Opening IPsec+IKE to the whole world also opens an attack surface
for those protocols. Further, it's also heavyweight solution.
Most operating systems in question also don't natively support
IPsec-protected sessions and/or tunnels and deploying separate
boxes would increase complexity and cost.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
--
to unsubscribe send a message to rrg-request@psg.com with the
word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/rrg/> & ftp://psg.com/pub/lists/rrg