Re: [fw-wiz] X server in a Firewall

From: "Paul D. Robertson" <paul@xxxxxxxxxxxx>
Date: Tue, 24 Jan 2006 19:31:10 -0500 (EST)

On Tue, 24 Jan 2006, John M wrote:

> Taking in account that a graphical interface is a
> requirement, from a risk standpoint, what is the
> problem in running a X server (using local IPC, no
> external port) in an unix based firewall box to manage
> it (using a gtk interface, for exemple)?

There's quite a bit of risk, depending on the system, its configuration
and who's in front of it. Not too facetiously, the biggest risk of a GUI
is that idiots will think they can administer the firewall ;)

The more code, the more potential vulnerabilities, the more GUI the more
likely surfing from the firewall will happen, etc.

> Managing it trough a ssh port (or a web interface or
> another port used by a proprietary console) wouldn't
> increase the risk? since the ssh daemon (or web

Web servers tend to increase the risk, as does any remote technology.
I know it's old fashioned to expect people to get off their behinds to
manage their firewalls, but remote access increases your risk
significantly and really shouldn't be a big factor (if you're chaning
rulesets that much, you're doing something wrong.)

> server, etc) could be vulnerable and, even if is only
> accepting connections from a specific IP, someone on
> internal network could do ARP spoofing or something.
>

Ideally your authentication requires more than just an IP address to
validate...

> Besides this, the box managing the firewall could have
> a key logger installed. (I know, in an ideal
> world...).

Indeed, that's why console-only access is the best method.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact."
http://fora.compuwar.net Infosec discussion boards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Follow-Ups:
- Re: [fw-wiz] X server in a Firewall
  - From: Marcus J. Ranum
- Re: [fw-wiz] X server in a Firewall
  - From: John M

References:
- [fw-wiz] X server in a Firewall
  - From: John M

Prev by Date: Re: [fw-wiz] Gmail replies
Next by Date: Re: [fw-wiz] RE: In defense of non standard ports
Previous by thread: [fw-wiz] X server in a Firewall
Next by thread: Re: [fw-wiz] X server in a Firewall
Index(es):
- Date
- Thread

Relevant Pages

RE: [fw-wiz] RPCs over HTTPS through the firewall
... >> it matter much if we add RPC to the sludge? ... > a similar risk profile, although encrypting traffic over 443 ... of the firewall admin's major bugbears. ...
(Firewall-Wizards)
RE: RE: Front End/Back End communication
... communication between FE/BE via IPSEC then IF the front end server ... How likely is it that someone gets past your firewall? ... the FE and BE communicate in the clear. ... you against the real risk. ...
(Focus-Microsoft)
[fw-wiz] New Security Risk Management Solution - Market Feedback Request
... We are soon going to be releasing a new security risk management ... solution and I would like to find out if anyone on the Firewall Wizards ... Pulls in firewall and router config files to draw an accurate network ...
(Firewall-Wizards)
Re: Linux Firewall Suggestion
... you do not learn by playing with live systems. ... > interfaces here any firewall would still be better than none. ... > bigger risk of getting hit by whatever malware they think up tomorrow. ...
(comp.os.linux)
Re: Linux Firewall Suggestion
... you do not learn by playing with live systems. ... > interfaces here any firewall would still be better than none. ... > bigger risk of getting hit by whatever malware they think up tomorrow. ...
(alt.linux)