[Tfug] Topology questions
Bexley Hall
bexley401 at yahoo.com
Tue Oct 9 00:29:32 MST 2012
Hi Will,
On 10/8/2012 10:24 PM, William Stott wrote:
> When your FTP / HTTP server gets owned, they have access to
> control the bypass and configure their own routing on your system.
> Hence, your network security now relies on your services, regardless
> of your firewall or router.
If the FTP/HTTP server sits inside the firewall (but outside the
router) and gets owned your firewall doesn't exist (anymore). I.e.,
an attacker can then launch a directed attack on your router -- even
though the router had *assumed* the firewall was blocking access to
certain ports, from certain addresses, etc.
> So, security isn't really the best interest of a multihomed
> configuration (even if you don't intend to route the traffic).
So, the solution is not to let the FTP/HTTP/etc server get owned!
(equivalently, to render it *impotent* even if it *was* owned).
If I put an SoC with a single NIC and USB (slave *or* host)
port on it, I can then implement just the front ends of the
FTP/HTTP/etc. protocols in that device (in < 1MB of FLASH
and with only enough RAM to buffer packets/connections).
Then, run Styx over USB to connect to the FTP/HTTP server
(again, sited where I described on the internal internets).
*In* the FTP/HTTP server, I can just build a namespace containing
only those assets that I want to export -- regardless of the
other assets available to other hosts (they are "invisible"!)
A USB2 link would easily support the ~3MB/s you typically see
on a home network connection (very little Styx overhead).
*And*, the FTP/HTTP server can easily shed traffic coming in
over the styx link -- simply by not *noticing* it! :>
You don't even care if this "external FTP/HTTP" server gets owned!
*It* can't *do* anything! (If it was FLASH based, it would
be difficult for anything to gain *any* control over it!)
With such minimal requirements, I can probably do this for
a ten-spot and a watt or two! Something comparable to an
"Ethernet USB dongle".
It also means I can probably put *all* the data store on that
server instead of serving video and audio from other boxes
(the advantage being that the video and audio could then be
accessible at "local network speeds" on *all* networks!
Of course, this would be a bit of a hassle for casual programmers
to maintain/modify. But, they'd have just as hard a time dealing
with the "BIOS", OS, drivers, etc. in these devices, regardless!
So, what's one more black box?? ;-)
Unfortunately, I don't see any way to generalize this to *all*
connections as it would be an excellent way to implement a
bulletproof firewall/router!
> This is why I hold my ground on a single service entry point,
> non-routable based on hardware configuration, with a proxy service
> to help provide the security that you need beyond layer 4. I can
> explain further, but I refused to write an email
> longer than I would want to read.
I guess it depends on how *fast* you can read (and write)! ;-)
--don
More information about the tfug
mailing list