Great Circle Associates Firewalls
(September 1995)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Where to put Internet Services?
From: Brent @ GreatCircle . COM (Brent Chapman)
Date: Wed, 6 Sep 1995 10:27:49 -0800
To: msh @ chesapeake . com, firewalls @ greatcircle . com

At 11:48 AM 9/6/95, Matt Hagadorn wrote:
>My company is looking at getting a "real" connection to the Internet
>(surprise!) and since I'm the network guy I get to learn more than I ever
>wanted to know about firewalls. The part I don't understand is where you
>would place application services (WWW server and anon FTP server for outside
>customers to access) in the case of a dual-homed gateway or a screened-host
>In the case of a dual-homed firewall, I would assume the FTP and WWW server
>software would be directly on the firewall machine? Is this a security risk?

Yes, that's pretty much what folks usually do, and yes, it's a risk.  In a
nutshell, when (not if) someone breaks into your dual-homed host (via those
services or others), you're hosed; the attackers will then have free access
to your internal network.  It generally doesn't take much (often just a
little bit of packet sniffing) to leverage that into access to the internal

>Or do you just provide and incoming proxy on the firewall that points to
>an inside machine running the httpd or ftpd servers?

You could do that, but you're merely moving the problem, not eliminating it.

>In the case of the screened host implementation, do the services go on the
>bastion host, or does it simply offer an incoming proxy service to the real
>machine running the WWW or FTP software? I don't see configuring the router
>to allow incoming FTP or http traffic to a host other than the bastion,
>otherwise your no longer running a screened host type of firewall. Am I right?

Again, you could do it either way, but the problem remains: when someone
compromises the bastion host, your internal network is completely exposed
to it.

This is why I strongly prefer screened subnet architectures to screened
host or dual-homed host architectures.  There's a measure of redundancy in
a screened subnet architecture; even if an attacker utterly compromises the
bastion host, they still have to get past the interior filtering system to
attack the internal systems, and there's no strictly-internal traffic for
them to snoop on while they're trying to figure out how to proceed.

We discuss these and other related issues in some detail, complete with
diagrams, in Chapter 4 of "Building Internet Firewalls"; see or send email to
firewalls-book-info @
 greatcircle .
 com for more information about the book.


Brent Chapman         | Great Circle Associates  | For Firewalls Tutorial info:
Brent @
 GreatCircle .
 COM | 1057 West Dana Street    | Tutorial-Info @
 GreatCircle .
+1 415 962 0841       | Mountain View, CA  94041 |

Indexed By Date Previous: Where to put Internet Services?
From: Matt Hagadorn <msh @ chesapeake . com>
Next: Windows NT servers in different networks and firewall
From: Sick Puppy <sikpuppy @ maestro . com>
Indexed By Thread Previous: Re: Where to put Internet Services?
From: paul @ hawksbill . sprintmrn . com (Paul Ferguson)
Next: Re: Where to put Internet Services?
From: rebowes @ iwdc1 . office . rest . tasc . com (Bob Bowes)

Search Internet Search