At 15:16 2003-02-12 -0500, Chris Santerre wrote:
Can you believe I'm actually getting to this just now!
Apparently.
> it?". In contrast, if the IP belongs to you, why not just
> set up that host
> with that IP address in the first place?
I would love it to just say my sendmail gateway. I have no problem with
using my own IP.
Set the exchange server up on a real IP address and totally, completely,
fireweall that IP address from the outside world at your firewall.
> visible to the internal network on which it is located. So, why the
> concern over the outside world being able to see it in the headers?
Discovery is the first part to hacking.
To get to a non-routed machine, they'll first need to hack a routed machine
on your network - such as your email gateway. If that happens, you're
already in trouble. Once they hack that system, they'll have access to the
mail logs and be able to see the internal mail server that communicated
with that machine.
Further, once they've hacked into the routed machine (establishing such a
foothold IS a necessary step for reaching a non-routed host), all they have
to do is run:
arp
and they'll have a list of hostnames, ip addresses, and MAC addresses for
all the hosts which the compromised host has been connected to
recently. Further, if there are multiple interfaces on the compromised
host (say, an ethernet connection to the outside world, and a separate
ethernet connection to the "secured lan"), that would be indentified as
well. A little bit of discovery on that host would determine netblocks
used for the local network(s) to which it has access, and a few iterative
ping operations later, that host could have even more information about
your internal network.
So, the outside world knows you have some server internal to your network -
fact is, if they're talented enough to gain access to your network in the
first place (through that gateway machine you can't hide), and if they CARE
what is on your network enough to bother trying to hack it, it won't take
them long to find out that it is there and where.
If your would-be attacker is incapable of establishing a foothold on a
gateway host to your LAN, then there's not really much they can do about
non-routed hosts _internal_ to your LAN.
IOW, "security by obscurity" will only give you a false sense of safety.
But hey, that's just my opinion.
You need to break a few eggs to make an omelet. I was never one to follow
rules to the "T" :-)
That's like telling the Wrieght brothers not to break the rules of gravity.
FTR, they didn't break the rules of gravity. They worked to better
determine what the extent of those rules were and how to work within the
confines of those rules to achieve what they did, in turn determining
several of the fundamental laws of aerodynamics.
Some laws can't be broken no matter how hard you try. Others can be bent
or interpreted differently. Yet others simply shouldn't be, at your own peril.
Trust me, after cross posting this message to the list, I wished there was a
"D'oh!" button to get it back! Upon further research, I think the 2 internal
IP addresses is a great idea. One for outgoing and one for incoming. So even
if they get thru the front door, they only have the IP of the server going
out. So they would have to fight another firewall.
Uh, if incoming messages go through a different host than outgoing messages
(which is entirely allowed, even encouraged by, the mail protocols), all
someone has to do is send you a message, or simply look up the mail exchanger:
host -t MX yourdomain
and they'll know the address of the mail gateway machine.
Obviously, if they _receive_ email from you, they'll have the address of
the sending mail gateway.
If you internally firewall connections to servers which should be secured,
that's great.
In any organization, there's always the risk that someone on the _inside_
may choose to circumvent protections, yet most organizations don't invest
nearly the same effort into securing their systems from such abuses. That
could be the employee who things spoofing the company mailserver to send
spam is a good idea, or the employee who is conducting industrial
espionage. It takes all types.
---
Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the list.
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail