|
|
|
|
| |
| SMC Barricade (SMC7004ABR) is a all-in-one networking solution for home and small business users. A security related design flaw in the product does not separate internal hosts from DMZed networks as it should, allowing compromised hosts in the DMZ full access to the internal network. |
| |
Credit:
The information has been provided by Dustin Harriman.
|
| |
As many of us know, hosts in a DMZ ("De-Militarized Zone") should not be able to initiate connections to internal LAN hosts. The whole point of having a DMZ is to prevent LAN hosts from also being compromised, should a DMZ host be compromised (from having its connected-to-from-the-internet services, like web or ftp, compromised). However, when you set one of your LAN hosts to be the "virtual DMZ host" in SMC Barricade, that host can still connect in any usual way (i.e. ping, SSH, etc) to the other LAN hosts. In other words, the "virtual DMZ host" is still part of the LAN, not "quarantined" somehow in a little network of its own.
Vendor response:
SMC has explained this by using a different definition of a DMZ, which basically goes like this: when you want to use network software that doesn't use standard ports (like ICQ file transfers), it's convenient to be able to back off all the firewall rules for a given host, so all ports are available. You will notice this definition results in less security, not more. According to SMC, this definition is the norm used by virtually all other home firewall appliance manufacturers, apparently, this makes it OK.
Possible solutions:
Do not use the DMZ feature on the Barricade, add firewalling rules on all LAN boxes to protect them from the DMZ host. Although cumbersome, this should approximate the functionality of a DMZ.
|
|
|
|
|
|
|
|
|
|
