Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Does blocking TCP DNS packets keep your Bind safe?

From: Todd <todd () unm edu>
Date: Tue, 13 Mar 2001 15:55:10 -0700 (MST)
darren, all,

On Wed, 14 Mar 2001, Darren Reed wrote:

I think you're taking too hard a line on the ISC there.

BIND is written in C and for better or worse, C is *HARD* to program in
a secure and safe manner, especially when you have an application as large
and complex as BIND is.

The only way to run applications, such as BIND, is as non-root and in a
chroot'd environment.  BIND makes it rather easy to do this.

Maybe sendmail and BIND need to be rewritten in java ? ;)

Darren


you're probably right.  but here's my point:  other people (in particular
dan bernstein) *do* seem to be able to write secure code in C.  it's not
easy, certainly.  you pretty much have to write your own string-handling
routines and avoid the libc as much as possible.  but qmail's been around
for quite a few years now with no vulnerabilities that can't be traced to
improper resource limiation by the administrator.

this is straying somewhat from the topic of firewalls, though.  the point
i wanted to make is that if you allow inbound traffic through your
firewall you'd better be darned sure of the services that traffic can talk
to.  darren does this by limiting the access of those services (which
seems pretty wise).  i do this by, additionally, choosing to use secure
programs from a known-good source.

=========================================================
Todd Underwood, todd () unm edu

=========================================================

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: