Firewall Wizards mailing list archives

Re: X server in a Firewall

From: Chuck Swiger <chuck () codefab com>
Date: Tue, 24 Jan 2006 21:55:10 -0500

John M wrote:

On remote access:

Web servers tend to increase the risk, as does any
remote technology.


OK. But what is your recommendation to a fortune 500
company? :)

That is, if Coca-Cola wanted a unix based firewall and
_wanted manage it trough a graphical interface_, what
would you suggest? A X server running in a firewall
sounds bad, but a web server or ssh server could be
even worse (key logger on the management station or
buffer overflow in the ssh or web daemon and both run
as root, so to have permission to change the fw rules)


In terms of their security history, OpenSSH isn't perfect, but comparing it to
X11 is pretty amusing.  Which one would you rather audit for poorly written
code, potentially exploitable buffer overflows, and other security vulnerabilities:

5-pi% cd /usr/ports/distfiles && ls -lh openssh-4.2p1.tar.gz xorg/X11R6*
-rw-r--r--  1 root  wheel   893K Sep  1 02:30 openssh-4.2p1.tar.gz
-rw-r--r--  1 root  wheel    31M Feb 25  2005 xorg/X11R6.8.2-src1.tar.gz
-rw-r--r--  1 root  wheel   3.8M Feb 25  2005 xorg/X11R6.8.2-src2.tar.gz
-rw-r--r--  1 root  wheel   9.9M Feb 25  2005 xorg/X11R6.8.2-src3.tar.gz

...?

-- 
-Chuck
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

X server in a Firewall John M (Jan 24)
- Re: X server in a Firewall Paul D. Robertson (Jan 24)
  - Re: X server in a Firewall John M (Jan 24)
    - Re: X server in a Firewall Paul D. Robertson (Jan 24)
    - Re: X server in a Firewall Brian Loe (Jan 24)
    - Re: X server in a Firewall Paul D. Robertson (Jan 24)
    - Re: X server in a Firewall Chuck Swiger (Jan 24)
    - Re: X server in a Firewall Marcus J. Ranum (Jan 24)
    - Re: X server in a Firewall Cat Okita (Jan 24)
    - Re: X server in a Firewall John M (Jan 24)
    - Re: X server in a Firewall Marcus J. Ranum (Jan 24)
    - Re: X server in a Firewall Peter Bruderer (Jan 25)
  - Re: X server in a Firewall Marcus J. Ranum (Jan 24)
    - Re: X server in a Firewall Cat Okita (Jan 24)
    - Re: X server in a Firewall Paul D. Robertson (Jan 24)
    - Re: X server in a Firewall Cat Okita (Jan 24)
    - RE: X server in a Firewall Ben Nagy (Jan 24)

(Thread continues...)