Firewall Wizards mailing list archives
Re: Does blocking TCP DNS packets keep your Bind safe?
From: Todd <todd () unm edu>
Date: Tue, 13 Mar 2001 15:55:10 -0700 (MST)
darren, all, On Wed, 14 Mar 2001, Darren Reed wrote:
I think you're taking too hard a line on the ISC there. BIND is written in C and for better or worse, C is *HARD* to program in a secure and safe manner, especially when you have an application as large and complex as BIND is. The only way to run applications, such as BIND, is as non-root and in a chroot'd environment. BIND makes it rather easy to do this. Maybe sendmail and BIND need to be rewritten in java ? ;) Darren
you're probably right. but here's my point: other people (in particular dan bernstein) *do* seem to be able to write secure code in C. it's not easy, certainly. you pretty much have to write your own string-handling routines and avoid the libc as much as possible. but qmail's been around for quite a few years now with no vulnerabilities that can't be traced to improper resource limiation by the administrator. this is straying somewhat from the topic of firewalls, though. the point i wanted to make is that if you allow inbound traffic through your firewall you'd better be darned sure of the services that traffic can talk to. darren does this by limiting the access of those services (which seems pretty wise). i do this by, additionally, choosing to use secure programs from a known-good source. ========================================================= Todd Underwood, todd () unm edu ========================================================= _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Does blocking TCP DNS packets keep your Bind safe?, (continued)
- Does blocking TCP DNS packets keep your Bind safe? Don Kendrick (Mar 09)
- Re: Does blocking TCP DNS packets keep your Bind safe? John Adams (Mar 10)
- Re: Does blocking TCP DNS packets keep your Bind safe? Crist Clark (Mar 10)
- Re: Does blocking TCP DNS packets keep your Bind safe? Jeff Sedayao (Mar 10)
- Re: Does blocking TCP DNS packets keep your Bind safe? Andrew Huffer (Mar 10)
- Re: Does blocking TCP DNS packets keep your Bind safe? Bill_Royds (Mar 10)
- RE: Does blocking TCP DNS packets keep your Bind safe? Ben Nagy (Mar 11)
- Re: Does blocking TCP DNS packets keep your Bind safe? Luca Berra (Mar 13)
- RE: Does blocking TCP DNS packets keep your Bind safe? Todd (Mar 13)
- Re: Does blocking TCP DNS packets keep your Bind safe? Darren Reed (Mar 14)
- Re: Does blocking TCP DNS packets keep your Bind safe? Todd (Mar 14)
- Re: Does blocking TCP DNS packets keep your Bind safe? Darren Reed (Mar 14)
- Does blocking TCP DNS packets keep your Bind safe? Don Kendrick (Mar 09)
- RE: Does blocking TCP DNS packets keep your Bind safe? Todd (Mar 16)