Firewall Wizards mailing list archives

Re: X server in a Firewall

From: "Paul D. Robertson" <paul () compuwar net>
Date: Tue, 24 Jan 2006 21:27:33 -0500 (EST)

On Tue, 24 Jan 2006, John M wrote:

On the local GUI:

The more code, the more potential vulnerabilities,


On remote access:

Web servers tend to increase the risk, as does any
remote technology.


OK. But what is your recommendation to a fortune 500
company? :)


If you *must* run a GUI, then lock it down and make the admins run it on 
the local console.

That is, if Coca-Cola wanted a unix based firewall and
_wanted manage it trough a graphical interface_, what
would you suggest? A X server running in a firewall
sounds bad, but a web server or ssh server could be
even worse (key logger on the management station or
buffer overflow in the ssh or web daemon and both run
as root, so to have permission to change the fw rules)


Out of band management (i.e. get off your posterior and walk to the 
firewall) is always a winner for me.

I don't like remote access to my firewalls, but if I have to have it, then 
it's got to be out of band (really out of band, not VLAN/crypto) if I get 
to have my way.

Besides the firewall, there´s a proxy running on the
box too (as an unprivileged user), so the box could be
compromised remotely trough it and the privilege
escalated trough a X server vulnerability.


If you permission things well, then that should be a low chance.

I mean, the ssh or web server port used to manage it
could be vulnerable to a buffer overflow attack, so if
only a specific IP (the admin) could connect to this
port, it yet would be vulnerable, but nobody else
could exploit it, except if they spoof the admin IP :)


If you can't trust your proxies, it's time to change proxies ;)

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
http://fora.compuwar.net      Infosec discussion boards 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

X server in a Firewall John M (Jan 24)
- Re: X server in a Firewall Paul D. Robertson (Jan 24)
  - Re: X server in a Firewall John M (Jan 24)
    - Re: X server in a Firewall Paul D. Robertson (Jan 24)
    - Re: X server in a Firewall Brian Loe (Jan 24)
    - Re: X server in a Firewall Paul D. Robertson (Jan 24)
    - Re: X server in a Firewall Chuck Swiger (Jan 24)
    - Re: X server in a Firewall Marcus J. Ranum (Jan 24)
    - Re: X server in a Firewall Cat Okita (Jan 24)
    - Re: X server in a Firewall John M (Jan 24)
    - Re: X server in a Firewall Marcus J. Ranum (Jan 24)
    - Re: X server in a Firewall Peter Bruderer (Jan 25)
  - Re: X server in a Firewall Marcus J. Ranum (Jan 24)
    - Re: X server in a Firewall Cat Okita (Jan 24)

(Thread continues...)