Firewall Wizards mailing list archives
Re: X server in a Firewall
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Fri, 27 Jan 2006 16:55:27 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 24 Jan 2006, Chuck Swiger wrote:
John M wrote:On remote access:Web servers tend to increase the risk, as does any remote technology.OK. But what is your recommendation to a fortune 500 company? :) That is, if Coca-Cola wanted a unix based firewall and _wanted manage it trough a graphical interface_, what would you suggest? A X server running in a firewall sounds bad, but a web server or ssh server could be even worse (key logger on the management station or buffer overflow in the ssh or web daemon and both run as root, so to have permission to change the fw rules)In terms of their security history, OpenSSH isn't perfect, but comparing it to X11 is pretty amusing. Which one would you rather audit for poorly written code, potentially exploitable buffer overflows, and other security vulnerabilities: 5-pi% cd /usr/ports/distfiles && ls -lh openssh-4.2p1.tar.gz xorg/X11R6* -rw-r--r-- 1 root wheel 893K Sep 1 02:30 openssh-4.2p1.tar.gz -rw-r--r-- 1 root wheel 31M Feb 25 2005 xorg/X11R6.8.2-src1.tar.gz -rw-r--r-- 1 root wheel 3.8M Feb 25 2005 xorg/X11R6.8.2-src2.tar.gz -rw-r--r-- 1 root wheel 9.9M Feb 25 2005 xorg/X11R6.8.2-src3.tar.gz
Still missing a good chuck of ssh in there, where's the openssl tarball? Granted not as large as the X tarballs, but, folks should never have the impression that ssh stands alone. In fact there are a few more tarballs that should be in this mix, zlib, and likely a few crypto ones as well.
While still lopsided in code weight, not as lopsided as making the erros that ssh is a stand alone....
Thanks, Ron DuFresne- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins <Still Life With Woodpecker> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFD2pbSst+vzJSwZikRAmLEAKCyy+xfG6dXqyPc6eph78bn92GRzACeMsRc xoyrUOzQagEzSdsU7C+sVoU= =FvEb -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: X server in a Firewall R. DuFresne (Feb 01)
- Re: X server in a Firewall Chuck Swiger (Feb 02)
- <Possible follow-ups>
- Re: X server in a Firewall R. DuFresne (Feb 01)
- RE: X server in a Firewall Cat Okita (Feb 02)
- Re: X server in a Firewall ArkanoiD (Feb 02)
- RE: X server in a Firewall Hammerle, Tye (Feb 02)