Security question

Security question

[Sasa Stupar]

What is the potential security problem if you have network as follows:

SOLUTION 1

INET-CABLE MODEM-----------------|
ROUTER-eth0-public IP address----|
ROUTER-eth1-private IP address---|------->SWITCH
ROUTER-eth2-private IP address---|
Internal server for mail,web-----|
all LAN users with private IP----|


SOLUTION 2

INET-CABLE MODEM-->eth0-ROUTER|--eth1|
			       --eth2|-->SWITCH
		 server and LAN users|

I am thinking of the solution 1 because cable modem is a little bit to 
far away from the router and I don't want to use to much of the cables. 
I have setup router with MAC address filtering and also put firewall on 
all internal computers.

What is possible security problem comparing the 2 solutions above?

Regards,
Sasa

Re: Security question

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 1205 bytes --]

On Mon, 2004-03-01 at 14:55, Sasa Stupar wrote:
> What is the potential security problem if you have network as follows:
> 
> SOLUTION 1
> 
> INET-CABLE MODEM-----------------|
> ROUTER-eth0-public IP address----|
> ROUTER-eth1-private IP address---|------->SWITCH
> ROUTER-eth2-private IP address---|
> Internal server for mail,web-----|
> all LAN users with private IP----|
> 
> 
> SOLUTION 2
> 
> INET-CABLE MODEM-->eth0-ROUTER|--eth1|
> 			       --eth2|-->SWITCH
> 		 server and LAN users|
> 
> I am thinking of the solution 1 because cable modem is a little bit to 
> far away from the router and I don't want to use to much of the cables. 
> I have setup router with MAC address filtering and also put firewall on 
> all internal computers.
> 
> What is possible security problem comparing the 2 solutions above?
> 
Depends what firewall/packet filtering capabilities eth0-ROUTER has ...

> Regards,
> Sasa
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Security question

[Antony Stone]

On Monday 01 March 2004 12:55 pm, Sasa Stupar wrote:

> What is the potential security problem if you have network as follows:
>
> SOLUTION 1
>
> INET-CABLE MODEM-----------------|
> ROUTER-eth0-public IP address----|
> ROUTER-eth1-private IP address---|------->SWITCH
> ROUTER-eth2-private IP address---|
> Internal server for mail,web-----|
> all LAN users with private IP----|

Any user can set their machine to have a public IP and talk to the cable modem 
directly, without going through the router.

Also, Linux-based routers often do interesting things with arp replies when 
they have multiple interfaces connected to the same switch.

> SOLUTION 2
>
> INET-CABLE MODEM-->eth0-ROUTER|--eth1|
> 			       --eth2|-->SWITCH
> 		 server and LAN users|

The only path between the internal protected network and the external Internet 
is through the router - therefore you have complete control over what is 
allowed, by setting appropriate filtering rules on the router.

> I am thinking of the solution 1 because cable modem is a little bit to
> far away from the router and I don't want to use to much of the cables.
> I have setup router with MAC address filtering and also put firewall on
> all internal computers.
> What is possible security problem comparing the 2 solutions above?

Since the switch has no security capabilities, and it is connecting external 
addresses (cable modem) directly to internal machines (PCs), it is simple for 
users to bypass your security if they want to.   I would not use this 
arrangement.

There is a general rule about firewalls - they should be the only path between 
the protected and the untrusted networks.   If there is another way for 
packets to travel between these two, without going through the firewall, you 
cannot rely on it to do the job you want.

Regards,

Antony.

-- 
"Reports that say that something hasn't happened are always interesting to me, 
because as we know, there are known knowns; there are things we know we know. 
We also know there are known unknowns; that is to say we know there are some 
things we do not know. But there are also unknown unknowns - the ones we 
don't know we don't know."

 - Donald Rumsfeld, US Secretary of Defence

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Security question

[Sasa Stupar]

But with the MAC/IP filtering I can restrict access to the router. So 
anyone who is not in the MAC table for accept it will be refused.
I don't think that it is possible to forge MAC address of nic, or am I 
wrong?

Sasa

Re: Security question

[Antony Stone]

On Monday 01 March 2004 2:25 pm, Sasa Stupar wrote:

> I don't think that it is possible to forge MAC address of nic, or am I
> wrong?

I am sorry to tell you that you are wrong about this.

Antony.

-- 
Normal people think "If it ain't broke, don't fix it".
Engineers think "If it ain't broke, it doesn't have enough features yet".

                                                     Please reply to the list;
                                                           please don't CC me.

RE: Security question

[bmcdowell]

Anthony is correct.  Google it and you'll find numerous examples:

http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&safe=off&q=forg
e+MAC+address+nic

Despite this fact, however, you don't seem to be using your imagination.
I've always preferred it when security people were just a little more
paranoid:

Imagine a scenario where some form of unknown attack is used to kill
your 'router' and turn one of your connected PC's into a 'router'
instead.

In that case, you would probably wish you had used scenario #2...  With
#2 a dead router means no internet, and that might actually be a good
thing - in an ostrich sort of way.


Bob

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Sasa Stupar
Sent: Monday, March 01, 2004 8:25 AM
To: Netfilter-List
Subject: Re: Security question


But with the MAC/IP filtering I can restrict access to the router. So 
anyone who is not in the MAC table for accept it will be refused.
I don't think that it is possible to forge MAC address of nic, or am I 
wrong?

Sasa

RE: Security question

[John A. Sullivan III]

ifconfig hw ether <WhateverMACAddressYouWantToSpoof>

In fact, this works so well because one can mimic both IP and Mac
address without interrupting service to the real IP address owner! The
ARP table is not compromised and traffic keeps flowing perfectly fine to
the existing users.

I believe one can even use it to get onto restricted wireless networks.

I apologize in that I haven't followed this thread but have been
investigating MAC spoofing as part of our investigation to turn ISCS
(http://iscs.sourceforge.net) into a spoof-proof wireless product with
robust user authentication required before even associated wireless
users can go anywhere from the access point.  In this testing, I was
truly surprised at how easy and effective MAC spoofing was.  I was even
surprised to be surprised since I was quite acquainted with using
locally administered MAC addresses from SNA work in a former life!

So I concur with the rest of the paranoid security admins on the list!

On Mon, 2004-03-01 at 17:24, bmcdowell@coxhealthplans.com wrote:
> Anthony is correct.  Google it and you'll find numerous examples:
> 
> http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=UTF-8&safe=off&q=forg
> e+MAC+address+nic
> 
> Despite this fact, however, you don't seem to be using your imagination.
> I've always preferred it when security people were just a little more
> paranoid:
> 
> Imagine a scenario where some form of unknown attack is used to kill
> your 'router' and turn one of your connected PC's into a 'router'
> instead.
> 
> In that case, you would probably wish you had used scenario #2...  With
> #2 a dead router means no internet, and that might actually be a good
> thing - in an ostrich sort of way.
> 
> 
> Bob
> 
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Sasa Stupar
> Sent: Monday, March 01, 2004 8:25 AM
> To: Netfilter-List
> Subject: Re: Security question
> 
> 
> But with the MAC/IP filtering I can restrict access to the router. So 
> anyone who is not in the MAC table for accept it will be refused.
> I don't think that it is possible to forge MAC address of nic, or am I 
> wrong?
> 
> Sasa
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com

security question

[Andreas Westendörpf]

Hi *!

I have the following setup. Please tell me if I have some security
issues here.

A linux box with two ethernet interfaces to work as a masquerading
router. One of them (eth0) is connected to a dsl-modem, the other is a
wlan card (eth1). All client systems get this box a default gateway
via dhcp.

My goal is to drop everything coming from the wlan by default. I do
this with:

# iptables -t nat -P PREROUTING  DROP

I want the all www-requests of the client systems to be redirected to
the local Apache on the box. I do this with:

# iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 - REDIRECT

As I need DNS for these www-requests I have to let DNS be accepted:

# iptables -t nat -A PREROUTING -p udp --dport 53 -i eth1 -j ACCEPT

Then, in the POSTROUTING chain I need all the packets that made it
here to be masqueraded:

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

If I want to allow a specific wlan client to get outside connections I
use:

# iptables -t nat -I PREROUTING -m mac --mac-source XX:XX:XX:XX:XX:XX
-i the1 -j ACCEPT

to let him through.

Beside of MAC-spoofing, is this setup safe? Can someone get though the
PREROUTING chain, without being "MAC-inserted".

What can I do to block incoming connection attempts? I only want to
allow ssh from outside (internet) to the box.

Any help would be appreciated!

THX,
Andreas Westendörpf

Re: security question

[Martín Chikilian]

a.westendoerpf@gmx.de wrote:

> Hi *!

> I have the following setup. Please tell me if I have some security
> issues here.

> A linux box with two ethernet interfaces to work as a masquerading
> router. One of them (eth0) is connected to a dsl-modem, the other is a
> wlan card (eth1). All client systems get this box a default gateway
> via dhcp.

> My goal is to drop everything coming from the wlan by default. I do
> this with:

> # iptables -t nat -P PREROUTING  DROP

I don't know if i understand well what you wrote, but i think that your rule applies to drop packets being PREROUTED by default. What is the goal of this??
What you mean with "is to drop everything coming from the wlan by default" ??
You want to drop packets destined TO wlan by default???

> I want the all www-requests of the client systems to be redirected to
> the local Apache on the box. I do this with:

> # iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 - REDIRECT

The corect rule for this is the next one:
iptables -t nat -A POSTROUTING -p tcp --dport 80 -i eth1 -j REDIRECT

Note the POSTROUTING chain must be used (I think)

> As I need DNS for these www-requests I have to let DNS be accepted:

> # iptables -t nat -A PREROUTING -p udp --dport 53 -i eth1 -j ACCEPT

> Then, in the POSTROUTING chain I need all the packets that made it
> here to be masqueraded:

> # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

> If I want to allow a specific wlan client to get outside connections I
> use:

> # iptables -t nat -I PREROUTING -m mac --mac-source XX:XX:XX:XX:XX:XX
> -i the1 -j ACCEPT

> to let him through.

> Beside of MAC-spoofing, is this setup safe? Can someone get though the
> PREROUTING chain, without being "MAC-inserted".

Sure there are ways to bypass this restriction, but it is pretty difficult, imho ;-)

> What can I do to block incoming connection attempts? I only want to
> allow ssh from outside (internet) to the box.
Through wlan?? You can do:
iptables --policy INPUT DROP	/* DROP by default incoming packets
iptables --append INPUT --in-interface eth1 --destination-port ssh --jump ACCEPT

Note that if you drop incoming packets by default, you also need to add a few rules:
iptables --append INPUT --in-interface eth1 --match multiport --ports http,https,ftp,ftp-data,ssh,... --jump ACCEPT
You must add the ports that you and your clients commonly use.

Any other doubt, contact the list.

Ciao, Martin

Re: security question

[Antony Stone]

On Thursday 03 June 2004 4:06 pm, Martín Chikilian wrote:

> a.westendoerpf@gmx.de wrote:
> >
> > My goal is to drop everything coming from the wlan by default. I do
> > this with:
> >
> > # iptables -t nat -P PREROUTING  DROP

That is a terrible thing to do - it will drop all sorts of packets you don't 
want dropped.   Do not filter packets in the nat tables - filter them in the 
filter tables.

I know it may look innocuous enough, but don't do it - it will mess up your 
network.

Regards,

Antony.

-- 
Anyone that's normal doesn't really achieve much.

 - Mark Blair, Australian rocket engineer

                                                     Please reply to the list;
                                                           please don't CC me.