Wow, hi Eric. What you´re saying is important. There are some mitigating
factors here that i´d like to know from you how mitigating
you think they are.
> An intruder who takes over a machine on the DMZ can use it to
> stage attacks on the firewall. Because you've opened up ports on
> the firewall to accept Amanda-related connections from the DMZ
> Amanda server, you've given the intruder more ports to attack.
Although the amanda server is on the DMZ, it does not have services available
for internet users. So, it´s less exposed to hackers.
Besides, the DMZ hosts all have internal ip addresses. They access the internet
through a nat firewall, this means that the external
world doesn´t know about the existence of my internal amanda server.
What i consider a mitigating factor here is that this amanda server is
difficult to be discovered.
> Worse yet, because you have an Amanda client on the firewall,
> configured to accept connections from the DMZ server, an intruder
> can exploit any security problems (buffer overruns etc.) in
> Amanda itself!
The only port the firewall accepts INPUT packets for amanda jobs is the UDP
port 10080, only if they came from the amanda server ip.
All the remaining necessary ports are controlled by the ip_conntrack_amanda
iptables helper module that i´m using on my firewall
machine.
Thus, the only way go into the firewall is over the 10080 udp port.
> It seems to me to be *much* safer to put the Amanda server on
> your internal network and have it reach *out* through the
> firewall to the DMZ machines. (You still weaken your firewall's
> security this way, but not nearly as much, because the Amanda
> server itself is now much less subject to attack.)
See, i think my server is very close to this situation you suggested here.
What do you think about it?
Thanks for your time,
Bruno Negrão
>
> --
>
> | | /\
> |-_|/ > Eric Siegerman, Toronto, Ont. erics AT telepres DOT com
> | | /
> When I came back around from the dark side, there in front of me would
> be the landing area where the crew was, and the Earth, all in the view
> of my window. I couldn't help but think that there in front of me was
> all of humanity, except me.
> - Michael Collins, Apollo 11 Command Module Pilot
>
>
|