Firewall Wizards mailing list archives
Re: X server in a Firewall
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Tue, 24 Jan 2006 23:16:06 -0500
John M wrote:
My question was: what is better (or worse), taking in account the GUI requeriment
Well, OK, we're talking about which is the lesser of a set of evils? You want a kind of "evil sort" algorithm? ;)
- a local X window server running in the firewall, to be managed localy - or a web server, ssh based system - or another port based in aproprietary protocol, to be managed remotely?
Assuming you can assert adequate controls on the X server-based solution, it's probably the least evil. For example, if you built a version of X server that only works over a Unix domain socket and doesn't even support network connections, it'd be about as good as you can make anything that has X windows built in. Web server-based systems are scary to me because the web server writers are trapped in "penetrate and patch" mode and have been there for a long time. Web servers are fairly evil in my world-view. Again, you can do a fair bit to mitigate the risk by locking the web server down, running it unprivileged, cutting its head off, sewing its mouth shut with garlic in it, and hammering a stake through its heart. Chrooting it helps, too. ;) With all of these things you can and should be able to make an argument that the risks have been mitigated. What terrifies me is that those arguments are seldom made. Everyone is stuck in this cluelessness from the 80's ("Sure, we use Apache, but we fixed all the bugs") Fundamentally that's bad design. If you know a component of your architecture has had structural flaws, it's basic engineering to avoid using that component as load-bearing unless you build in work-arounds. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- X server in a Firewall John M (Jan 24)
- Re: X server in a Firewall Paul D. Robertson (Jan 24)
- Re: X server in a Firewall John M (Jan 24)
- Re: X server in a Firewall Paul D. Robertson (Jan 24)
- Re: X server in a Firewall Brian Loe (Jan 24)
- Re: X server in a Firewall Paul D. Robertson (Jan 24)
- Re: X server in a Firewall John M (Jan 24)
- Re: X server in a Firewall Chuck Swiger (Jan 24)
- Re: X server in a Firewall Marcus J. Ranum (Jan 24)
- Re: X server in a Firewall Cat Okita (Jan 24)
- Re: X server in a Firewall John M (Jan 24)
- Re: X server in a Firewall Marcus J. Ranum (Jan 24)
- Re: X server in a Firewall Peter Bruderer (Jan 25)
- Re: X server in a Firewall Paul D. Robertson (Jan 24)
- Re: X server in a Firewall Cat Okita (Jan 24)
- Re: X server in a Firewall Paul D. Robertson (Jan 24)
- Re: X server in a Firewall Cat Okita (Jan 24)
- <Possible follow-ups>
- RE: X server in a Firewall Martijn Berlage (Jan 27)