Why Protecting Within the Perimeter is Important

Security Focus recently ran an article on using HTTP Tunneling to breach a firewall and attack an internal system. While the article writer trivializes the fact that two servers in this scenario must be breached prior to attacking the firewalled host, he does, albeit unintentionally, demonstrate one thing: even your machines inside the perimeter should be locked down.

Using the author’s fictional network setup, we first notice that the attacker has breached a Windows IIS server. This demonstrates the obvious: patch, patch, patch.

More important is the second box, the Solaris box. The fictional admin in the scenario has basically relied on his router traffic rules to protect the box from outside access to various ports. As we can see in this demonstration, this becomes his downfall as it only takes the breach of one DMZ machine to get access to the others.

To put things more succinctly: shut off all unnecessary services!

Why is the Solaris box running telnet instead of SSH? Telnet, as we all should know, is inherently insecure. Why would would the box need to run a finger server? Does anyone even use that anymore? I think the hacker would have to be very optimistic to hope it’s running. If the box is intended for SMTP and DNS, then those should be the only services running, with the possible exception of SSH for remote administration. Period.

A firewall is not the be-all end-all of protecting your network. Lock down your boxes! Paranoia is a good thing.