-
network concept
Hi everybody.
Seems like there's been some tension here lately, so hopefully this question will take minds elsewhere.
I am having a hard time finding the best way to explain this, so bear with me.
Now, A computer with a web server on it(Captain), connected to a firewalled computer(Grunt), which is then connected to a router and then the internet. And the data between the Captain and Grunt is encrypted. Grunt is basically a slave of Captain and does whatever the Cap'n wants. Nothing can access Captain but Grunt through a specific encrypted port. So, if a hacker looked at this network he would see only Grunt, right? Would this make Captain more secure? Is this already being used? Would this be a modified proxy? Does this question even make sense?
-
A little more information would be required as in the ip address's of capt. and grunt. Yes it does make sense and yes it is already being used. I would call it more of a modified gateway than a modified proxy. There is a linux distro called ipcop which is similar to what your talking about. Its a gateway/firewall computer with snort, port forwarding, and dhcp along with some other stuff. Capt. is only as secure as the network as a whole, if you use weak passwords and such then all your setup does is making accessing capt more tedious to the hacker.
As far as the hacker looking at the network goes, yes they would only be able to "see" grunt.
Think that answers everything, and hopefully sheds some light.
-
What can happen if someone "hacks" Grunt?
-
Darksnake gave you that answer SirDice:
Quote:
Originally posted here by Darksnake
Capt. is only as secure as the network as a whole, if you use weak passwords and such then all your setup does is making accessing capt more tedious to the hacker.
As far as the hacker looking at the network goes, yes they would only be able to "see" grunt.
In other words, if grunt, its self, were protected by strong enough passwords and completely patched, with no known exploits, your network would be secure. If a user were to let a trojan, or worm into the network, as in opening an unknown attachment grunt would stop the out bound traffic, unless the trojan gained access to the passwords/encryption used to communicate with grunt. Which would be more likely than anyone finding an exploit for a fully patched and protected gateway, which is what grunt would be.
The cracker would most likely attempt to by pass the gateway, and insert his attack into the network its self, than to attempt to find an exploit that would work againt the gateway.
One real pro for this kind of system, is a port scan would not show a network behind grunt, but just grunt its self. And not having the signature of a more common router, might not trip to the fact it is acting like a gateway.
-
If (hypothetically speaking ;) ) Grunt gets 0wn3d isn't it possible to attack Captain using the available encrypted connection?
So where is the added protection in encrypting the traffic between Grunt and Captain? IMO this will only add problems because you cannot use an IDS on that connection to alert you someone is doing something fishy.
-
if grunt is between network and captain, he is acting as a "firewall". But im not sure what grunt is REALLY doing with the communications packets that are flowing thru it. Do it analyse something?
Since grunt is hidden captain, all "services" will appear as be provided by grunt, right?
If grunt just transfer packets to/from captain, captain can be still attacked. For example, captain is running a http server and grunt is forwarding packets to captain:80. If grunt does nothing except forwarding, an atack can be done with some web server weakness.
I cant see what encryption grunt:captain adds to external security. Does it serve to protect against INTERNAL network hacking? i can see only that purpose.
-
What if you made your own service that handles the encryption, data, and direction. and this service runs on say, port 1001 on captain. No port 80. but grunt has port 80 and 1001 open. Assuming the code for this service has been done with security in mind and it is not open to the public, you could essentially "hide" that service from being seen by a normal user. Thus, the hacker would have a heck of a time figuring out whats going on even if grunt got 0wned.
Come to think of it, what if grunt and captain were connected by a parallel port? Or, would this make things harder to set up?
-
If grunt got owned, then grunt would serve as a remote shell allowing the attacker to see everything that grunt can see and thus expose the network. Grunt serves as a gateway/firewall the information going into grunt gets filtered before entering the internal network.
Sir Dice, you can still use a ids on the incoming port from the internet which would inform you about these fishy things people try. Wouldnt you say?
Yes all services will seem to be coming from grunt, and yes captain can still be attacked from port forwarding. But that is a whole different barrell of monkies that you are opening. Now then if this server is compromised by a remote exploit lets say a apache one for sake of discussion. Then more than likely the attacker would gain root privs. Now they just have to figure out how to access or manipulate a shell. If captain has a private ip that would make it more difficult and would rule out most script kiddies.
Not knowing much about connecting computers through a parallel port. I would say yes that would be more difficult and im almost positive that it would slow down their communication speed. Personally i would not recommend it.
-
I'm kind of lost as to why you would only encrypt the communications between the web server and the proxy/gateway.
Generally you will have this kind of stuff in a DMZ that has limited access and is monitored all to hell. It won't stop anyone on the outside from doing anything, they will see grunt, attack grunt, and deal with captain through grunt which is allowed to communicate with it.
If grunt is the only one allowed to talk to captain, you are going to have all kinds of fun updating content, doing general administration, and have a single point of failure when it comes to the services you offer.
Not to mention that it is somewhat inefficient to go through and encrypt absolutely all communication between the two boxes. I know alot of people turn on encryption between their web and database servers....that makes sense. This doesn't make any sense to me however...
-
Right, I wasn't sure if encryption would help or not(It seemed to make less sense the more I looked at it).
Also, If you accessed a site, you wouldn't know how that computer was set up in a network, unless you looked around a little. So assuming a hacker got into grunt, I would figure this kind of network setup is not real common and the hacker might not (depending on intent) realize that grunt is relaying info from capt.
I gotta go to class now. be back
-
Quote:
Originally posted here by Darksnake
Sir Dice, you can still use a ids on the incoming port from the internet which would inform you about these fishy things people try. Wouldnt you say?
Yes. But I like to put an IDS before and after the firewall. That way I can verify that the firewall is doing it's job properly (i.e. nobody made a configuration error).
-
Hello all,
In this particular scenario, I can't see any added benefit to having the link between CAPTAIN and GRUNT encrypted. Before accessing CAPTAIN, a hacker would first have to have control, at least to some degree, of GRUNT. Once acheived, the now compromised GRUNT will have full access to CAPTAIN (or whatever access GRUNT normally has), whether the link between the two boxes is encrypted or not. Because CAPTAIN trusts GRUNT, if you take control of GRUNT you take control of CAPTAIN. The encrypted tunnel will just as happily carry hacker traffic from GRUNT to CAPTAIN as it will legitimate traffic, once GRUNT is compromised.
Regards,
Alan Mott
-
Hi, if a hacker were to see this network if the router has NAT(network address translation) he will only see the router and none of the other boxes.
cheers,
J
-
Hey Hey,
I might have missed it, or I may be sleeping (well not sleeping, haven't slept yet).. but half asleep.... Anyways.. What kind of router are we assuming? When I hear router, I think Cisco, Nortel, something of substance... however the term router has been raped and now refers to **** like linksys, dlink, smc, etc.... In my opinion the type of router makes a huge difference in this scenerio. Another question would be what are we dealing with, home setup off a cable/DSL modem w/ a single IP address, a company with a single IP address on a true dedicated connection, or a company with many IP addresses?
As far as hiding the connection, that requires you hide the process, modify binaries, and assume that the attacker (sounds better than hacker doesn't it) hasn't brought in his own binaries that'll identify what's going on. Besides a simple port scan would show the open port and they could work from there..
Regardless of what's this system is being used for.. I think you'd ultimately have to weigh cost (dollars, man-hours, resources) vs effectiveness. In the end you're not going to have any added security over a system secured properly. It may take the attacker a bit longer to figure out what's going on, but as long as your "standard" security is up to par, then they have to be somewhat decent to get to where they are, so they'll probably figure out what rest. If it's some little skiddie, then you'd have to question where you went wrong in your basic security setup to let them in, and the rest doesn't really matter.
Peace,
HT
