Re: X server in a Firewall

[John M <idm.john () yahoo com>]

On the local GUI:
> The more code, the more potential vulnerabilities,

On remote access:
> Web servers tend to increase the risk, as does any
> remote technology.

OK. But what is your recommendation to a fortune 500
company? :)

That is, if Coca-Cola wanted a unix based firewall and
_wanted manage it trough a graphical interface_, what
would you suggest? A X server running in a firewall
sounds bad, but a web server or ssh server could be
even worse (key logger on the management station or
buffer overflow in the ssh or web daemon and both run
as root, so to have permission to change the fw rules)

Besides the firewall, there´s a proxy running on the
box too (as an unprivileged user), so the box could be
compromised remotely trough it and the privilege
escalated trough a X server vulnerability.


> > server, etc) could be vulnerable and, even if is
> only
> > accepting connections from a specific IP, someone
> on
> > internal network could do ARP spoofing or
> something.
>
> Ideally your authentication requires more than just
> an IP address to
> validate...


I mean, the ssh or web server port used to manage it
could be vulnerable to a buffer overflow attack, so if
only a specific IP (the admin) could connect to this
port, it yet would be vulnerable, but nobody else
could exploit it, except if they spoof the admin IP :)



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards