On Wed, 16 Nov 2011 08:36:21 EST, Jay Ashworth said:
----- Original Message -----
From: "Jimmy Hess" <mysidia@gmail.com>
Or, the attack is against a legitimate user's outbound connection, for example: a user behind the firewall connects to a web site, a vulnerability in their browser is exploited to install a trojan -- the trojan tunnels to the attacker over an outgoing port that is allowed on the firewall.
Oh, certainly; I have lots of web browsers running on my servers.
All The World Is Not A Workstation, guys.
Is there *anything* on the allegedly protected subnet that has a web browser running on it? Maybe that laptop on the crash cart that you use for downloading firmware and installing it on storage appliances? If it's a corporate-sized NAT, do you have any desktops that have network reachability to the servers (probably do - if the desktops can't reach the servers, the servers aren't useful are they?) and also have web browsers that go to the outside world? I compromise an ad server someplace. Bob over in Accounting visits the CPA forum on the accountants-r-us.com website looking for suggestion on how to handle a tax issue. I now have control of Bob's workstation, and the question of whether your firewall does NAT or not just became totally moot. Defense in depth doesn't mean building a second Maginot Line behind the first is a good idea - it means you *also* have a capable army that will stop a German invasion coming in via Belgium.