Re: Groklaw's "Bias" and the SCO DDoS Attack
From: Jeff Liebermann (jeffl_at_comix.santa-cruz.ca.us)
Date: 12/14/03
- Next message: Tony Lawrence: "Re: OT: changing the subject Re: Groklaw's "Bias" and the SCO DDoS Attack"
- Previous message: /dev/null: "Re: mailing out of SCO openserver"
- In reply to: Bill Vermillion: "Re: Groklaw's "Bias" and the SCO DDoS Attack"
- Next in thread: Bill Vermillion: "Re: Groklaw's "Bias" and the SCO DDoS Attack"
- Reply: Bill Vermillion: "Re: Groklaw's "Bias" and the SCO DDoS Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sun, 14 Dec 2003 10:46:12 -0800
On Sun, 14 Dec 2003 15:35:01 GMT, bv@wjv.comREMOVE (Bill Vermillion)
wrote:
>Yup. And if I'm not mistaken if the server is behind a firewall
>on the same local LAN your office machines are you can congest that
>LAN - again providing you have incoming links fast enough to make a
>different - which is not that common.
I left out saturating the router. Many web servers are cheap NAT type
routers, with port 80 redirected to a web server on the LAN side. Add
a few complex ACL rules and the router will choke before the server
overloads. My guess(tm) is that SCO doesn't do it that way. However,
my last visit to a large server farm showed a substantial number of
cheap routers hanging in back of a 2ru server. The reason is simple:
It doesn't occupy rack space and therefore doesn't add to the monthly
rackspace charges. It's also very easy to install and setup. A fast
glance at the racks appeared to indicate that many of the servers had
no independent firewall of any kind between the switch/router and the
web server and probably rely in a software firewall of some sort.
>You've never seen one? It takes ONE machine - at least a 486 -
>three NIC cards - and $995. [That was the price when I first saw
>it].
I've built my share of FreeSco and LRP firewalls. I've setup a DMZ
port on these for servers. I've also used Sonicwall DMZ routers.
However, be advised that there are two flavours of DMZ. One is a real
DMZ, between two routers, where access to the servers in the DMZ are
still subject to the firewall rules of the outer WAN router. The
other has no dedicated port, and assigns a single NAT LAN side IP
address that has no filtering rules applied of any sort. The former
is a classic dual router plus DMZ incantation and offers proper
security. The latter is found on cheap NAT routers. Hardware routers
that have a dedicated ethernet port (i.e. Sonicewall DMZ) can be setup
for either configuration. In general, if the DMZ IP address is
routeable, it usually has firewall rules applied to its traffic. If
the DMZ IP address is on the LAN side with a non-routeable IP address,
it's wide open.
That said, I actually have seen and setup Sonicwall DMZ routers.
However, after tinkering with the topology and thanks to the rather
odd way that SBC/PBI delivers 5ea IP addresses, it was decided to move
the public web server out of the DMZ, and onto the LAN. What I was
thinking is that I have never seen a real dual router plus DMZ setup
where there really are two separate physically separated boxes. I'm
sure they exist and server their purpose, but the class of customer
that I deal with simply doesn't have the talent, resources, or need
for such an arrangement.
>GTA - Global Technology Associates - started with a program
>called the Gnat Box. They are local and I guess I'm mor familiar
>with them than most because back in Thee Olde Dayze - before they
>got their own connections - my machine was handling their email.
Way back then, everyone was following their own path. Mine was
PCBridge by Doug Karl of Ohio State Univ, that later became Karlbridge
and then Karlnet. I still have one router on a floppy running, but
prefer to boot from cdroms of compact flash cards. I looked at the
GNAT box, but realized at the time that my customers would not pay the
price.
>Paul Emerson - owner - had the first and for awhile the only SW
>fully ICSA certified firewall. He's branced out into drop in
>boxes but the original is still there.
>I don't think $1000 is too much for a fireall and many of the the
>small business solutions in HW cost far more than that.
Well, we're diverging here. A firewall that's suitable for a web
server at a server farm, is quite different from one that's suitable
for a small business gateway, which is quite different from one that
protects a home user. All the box vendors have different products for
each of these areas. I'm still searching for the ultimate universal
firewall. At the beginning of 2003, I was pushing Netscreen products.
Now, I'm switching to SnapGear due to pricing issues. Incidentally,
both are Lunix based hardware routers.
http://www.snapgear.com/vsnetscreen.html
>Maybe it's just that people don't know they exist. I do know that
>for the first 2 or 3 years - when people weren't so concerned with
>security in the US that the vast majority of Paul's systems
>were in large to extremely large foreign corporate installations.
I don't fit into his customer profile or price range these daze. I
know he exists because some of my customers insisted on an ICSA
certified product. However, they bought Sonicwall for about the same
price.
>And I've seen people who might be considered anal retentive put
>their own servers behind their firewall on their own local LAN.
>>From my POV that has the potential for disaster if someone breaks
>the web server.
Yep. The price of NAT "protection" is the lowest of the whole bunch
of potential solutions. There's a place for those that always pick
the cheapest. Unfortunately, most of them are also my customers so I
have to be nice. It's like backups. Nobody duz backups until AFTER
they have lost data. Nobody installs proper firewall protection (or
builds proper topology) until AFTER some hacker has trashed their
system. Since I'm a repairman, not a system architect, much of what I
do is admittedly patchwork and kludge until the next round of funding
or planning allows for a proper implementation.
>>3. I'm a big fan of 'single application servers' which largely follow
>>what you describe.
>Absolutely. Not having enough to have duplicates of everything I
>run the secondary MX on another machine - but no machines are doing
>more than two things.
That's a good rule but does get expensive. I'm currently watching one
company switch from my "single application server" philosophy, to a
Windoze 2003 server, all thy eggs in one basket solution. The
inspiration was that the mix of OSR5, Linux, and W2K servers was so
reliable, that nobody bothered to do any maintenance and upgrades.
Eventually, things started to literally fail and die. So, they were
forced to buy new hardware and didn't want to pay for transplanting
multiple servers. So, their rent-a-wizard decided that the answer to
all problems was Windoze 2003 server. I haven't seen the cost but it
wasn't pretty. When finished, there will EVENTUALLY be a second
backup AD server and a possible offite mirrored server, but all the
single application boxes that have been puttering along nicely for 10
years will be history. They rejected my suggestion of "Tower of
Babel" as an appropriate project name. This should be interesting.
>If the web server is on the inside I can see why they would
>have internal LAN problems. Look at how badly the Slammer slowed
>down internal systems as well as network systems. But since we do
>not know the full configuration we'd just have to guess.
I'm not very good at probing past firewalls. However, the recently
posted SCO DNS Zone transfer should give a few clues as to SCO's
internal topology. For example, sorting the list by IP address will
show which services are resident on the same box.
http://www.google.com/groups?selm=6pklb.836693%24YN5.928830%40sccrnsc01
Looking at the results, it's not as bad as I thought. However, I
don't wanna suggest vulnerabilities and weak points.
>In closing, do check out www.gta.com when it comes to firewalls
>including DMZ.
Well, if you insist...
-- Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060 (831)421-6491 pgr (831)336-2558 home http://www.LearnByDestroying.com AE6KS jeffl@comix.santa-cruz.ca.us jeffl@cruzio.com
- Next message: Tony Lawrence: "Re: OT: changing the subject Re: Groklaw's "Bias" and the SCO DDoS Attack"
- Previous message: /dev/null: "Re: mailing out of SCO openserver"
- In reply to: Bill Vermillion: "Re: Groklaw's "Bias" and the SCO DDoS Attack"
- Next in thread: Bill Vermillion: "Re: Groklaw's "Bias" and the SCO DDoS Attack"
- Reply: Bill Vermillion: "Re: Groklaw's "Bias" and the SCO DDoS Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
