Firewall Wizards mailing list archives
Re: X server in a Firewall
From: "Paul D. Robertson" <paul () compuwar net>
Date: Tue, 24 Jan 2006 21:27:33 -0500 (EST)
On Tue, 24 Jan 2006, John M wrote:
On the local GUI:The more code, the more potential vulnerabilities,On remote access:Web servers tend to increase the risk, as does any remote technology.OK. But what is your recommendation to a fortune 500 company? :)
If you *must* run a GUI, then lock it down and make the admins run it on the local console.
That is, if Coca-Cola wanted a unix based firewall and _wanted manage it trough a graphical interface_, what would you suggest? A X server running in a firewall sounds bad, but a web server or ssh server could be even worse (key logger on the management station or buffer overflow in the ssh or web daemon and both run as root, so to have permission to change the fw rules)
Out of band management (i.e. get off your posterior and walk to the firewall) is always a winner for me. I don't like remote access to my firewalls, but if I have to have it, then it's got to be out of band (really out of band, not VLAN/crypto) if I get to have my way.
Besides the firewall, thereĀ“s a proxy running on the box too (as an unprivileged user), so the box could be compromised remotely trough it and the privilege escalated trough a X server vulnerability.
If you permission things well, then that should be a low chance.
I mean, the ssh or web server port used to manage it could be vulnerable to a buffer overflow attack, so if only a specific IP (the admin) could connect to this port, it yet would be vulnerable, but nobody else could exploit it, except if they spoof the admin IP :)
If you can't trust your proxies, it's time to change proxies ;) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." http://fora.compuwar.net Infosec discussion boards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- X server in a Firewall John M (Jan 24)
- Re: X server in a Firewall Paul D. Robertson (Jan 24)
- Re: X server in a Firewall John M (Jan 24)
- Re: X server in a Firewall Paul D. Robertson (Jan 24)
- Re: X server in a Firewall Brian Loe (Jan 24)
- Re: X server in a Firewall Paul D. Robertson (Jan 24)
- Re: X server in a Firewall John M (Jan 24)
- Re: X server in a Firewall Chuck Swiger (Jan 24)
- Re: X server in a Firewall Marcus J. Ranum (Jan 24)
- Re: X server in a Firewall Cat Okita (Jan 24)
- Re: X server in a Firewall John M (Jan 24)
- Re: X server in a Firewall Marcus J. Ranum (Jan 24)
- Re: X server in a Firewall Peter Bruderer (Jan 25)
- Re: X server in a Firewall Paul D. Robertson (Jan 24)
- Re: X server in a Firewall Cat Okita (Jan 24)