From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Fri 24 Sep 2004 - 15:28:10 BST
On Fri, Sep 24, 2004 at 03:27:11PM +0200, Gilles wrote:
>
> Setup A:
>
> > > > > [ (nic2) ] <----> [ (nic3) H2 ]
> > > > > Internet <----> [ (nic1) H1 ]
> > > > > [ (nic4) ] <----> [ (nic5) H3 ]
> > > > > [ (nic6) H4 ] etc.
>
> Setup B:
>
> > > > Internet <---> [nic1 H1 nic2] <---> [nic3 H2 nic4] <---> H3,H4,H5 ...
>
> > > What's the difference between "border" and "simple" firewall?
> >
> > the 'border' firewall protects the office against
> > the internet, the 'simple' firewall protects your
> > services
>
> But the services *are* protected, by H1.
yes, that is possible, also all internal communication
(service wise) will pass through the 'border' firewall
> > (and maybe the border firewall)
>
> Ah, that's the added value then.
> But, as Matt replied, a firewall is a much more difficult target...
>
> > > Isn't it sufficient to have a firewall on H1 (the host)?
> >
> > sufficient, well, maybe, but you asked about security
> > right? and part of that security would be to monitor
> > the firewall and detect intrusion, which is actually
> > very simple with a 'non-reachable' host, monitoring
> > a 'firewall' vserver ...
> >
>
> OK, I get it, I think.
>
> > > If not, how do the host and vserver share responsibilities (pppd,
> > > firewall,...)?
> >
> > pppd is probably not a part of the firewall I had in
> > mind, but if you need some kind of 'dialup' connectivity
> > for that office, then the 'firewall' host will have to
> > handle that, of course ...
> >
>
> So that means yet another firewall on H1 (?): one on the host to watch
> "ppp0" and forward all connections to the vserver running a second firewall
> that does the port forwarding (for the allowed services) and that is
> monitored for intrusion.
the 'firewall' vserver would require more than the
usual CAPs to allow for changing rules and similar
so you might well handle such stuff there ...
> > firewall software is iptables in my book, YMMV,
>
> Yes I use iptables too, configured through the "Shorewall" scripts.
>
> > exploit on apache -> root shell on server -> all done
>
> Yes I get that, but I didn't intend to run any service outside
> a vserver nor on the H1 machine.
yes, that was just the 'general' exploit case ...
> > in the depicted setup it will probably happen like
> > this:
> >
> > exploit -> root shell on vserver -> isolated
> > -> exploit to escape vserver -> H2
> > -> exploit for the firewall -> H1
> >
> > which looks to me a little more secure than the above.
> >
>
> Yes a *little* more, as the only difference with setup A is the
> exploit to cross the supplementary firewall on H2. But... in
> setup B, the internal network is then open, while in setup A,
> the firewall on H1 remains to be cracked to access H3, H4, etc.
> So, it seems that trying to access the private network eventually
> requires roughly the same amount of "work".
actually depends on the setup, usually the firewalling
between the office clients and the services will be
weaker than the firewalling to the outside (if not
diabled for whatever reason)
> But, my main worry was about the DMZ! Unless I overlooked something
> in your answers, I'm still confused about that.
>
> What is the difference (or is there one, in principle) between:
>
> (1) Having a public service (e.g. apache) and a private service (e.g.
> mysql), running on 2 separate vservers on the same host.
>
> and
>
> (2) Having the public service and private service each running on their
> own hosts.
>
> The first thing I notice is that in case (2), the 2 hosts would be on
> different subnets (one of which is the DMZ). [Hence the firewall rule
> would only allow connections from the Internet to the DMZ.]
>
> While in case (1) all vservers share the same virtual ethernet inside
> the host. [So there is no simple firewall rule: allow to DMZ / deny to
> private.]
>
> Is this correct? In the affirmative, is it a problem and can it be
> solved?
well, thing is that people tend to make errors
and separating the administrative aspects into
two units (physical) might help to catch those
errors, where doing fancy rules on one unit, if
done properly can provide the same security ...
> E.g. I was wondering whether it is possible to simulate several subnets
> inside a single host (i.e. without resorting to a second nic!).
you do not need a separate nic to have a subnet on a
linux host, but all communication on the same host
will happen via lo (see More Documentation on the
linux-vserver wiki), so you have to keep that in mind.
> If I remember correctly, "vmware" does that (as was already
> pointed out by someone else).
> So the question is: How to do it with vserver?
vmware and QEMU or Bochs use a separate kernel (similar
to that what UML does) and communicate via tun/tap
devices with the host, which adds some overhead but
provides separated 'interfaces' on the host ...
this is something which probably will not be added
without good reason, because of the performance and
routing overhead ...
best,
Herbert
> Best regards,
> Gilles
> _______________________________________________
> Vserver mailing list
> Vserver_at_list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver