Sarah Elton ([info]sarah_elton) wrote,
@ 2006-09-06 09:36:00
Previous Entry  Add to memories!  Tell a Friend  Next Entry
Current mood: confused

One for the techies....
Our company has blocked access to the public website (fftw.com) from internally. My colleague said it's a security threat if we access it, because it's held on internal servers so we're creating an Internet connection from internally round to that server. He's not an IT bod, but said he's come across this in another company and couldn't exlain it more than that. I want to know why that's a security threat....


(Read 4 comments) - (Post a new comment)


[info]azekeil
2006-09-06 12:37 pm UTC (link)
Okay, a quick primer on TCP/IP and packet routing (some of this you may already know - in which case I apologise):

When you type in a website address, the name has to be converted to numbers (much like looking up the phone number of the person you want to reach). This process uses a service called DNS, which stands for Domain Name Service.

This number is called an IP (Internet Protocol) address is unique on the internet, with several important exceptions that I won't talk about here because they're not relevant.

A connection is made of lots of individual packets, which each contain the source address IP (where they came from), and the destination IP address (where they want to go). Each machine on the way receives the packet and scans the destination IP. Usually the machine won't be connected directly to the destination server, but knows to send on packets it doesn't know to somewhere hopefully closer to their destination, much like a post office sorting depot. Eventually these packets get to their destination.

One way to make a network more secure is to segregate it from the unsecured local network (where people's computers aren't so tightly controlled and therefore may be compromised or otherwise untrustworthy). Usually a company has a separate firewall (or network card if it's in one firewall) for the general internet traffic and another for the DMZ.

Most often, firewalls are configured so that traffic coming from one place (eg. internal, internet, DMZ) are treated differently - this is usually done not by source address (as this information comes from the sender and can therefore be spoofed) but by the hardware interface - the physical port the traffic is received on. To allow them to just simply cross from the internal network into the DMZ would negate the benefit of segregation - this would be akin to making some traffic from internal networks look like it was coming from the internet - and vice versa. There is a chance that carefully crafted packets could make it from the internet to the internal network - bypassing all of the security you'd put in place.

The most secure way would be to use the company's normal internet connection to go out, then another server to bounce back in. This would also mean there has to be no separate special configuration to maintain to allow internal access directly to the DMZ (with all it's risks as I outlined above).

There, does that make sense?

(Reply to this) (Parent)(Thread)

[info]sarah_elton
2006-09-06 01:07 pm UTC (link)
It does now, thanks for explaining - I like to understand these things. :o))

(Reply to this) (Parent)

(Read 4 comments) - (Post a new comment)

Create an Account
Forgot your login or password?
Login w/ OpenID
English • Español • Deutsch • Русский…