Re: [fw-wiz] X server in a Firewall



On Tue, 24 Jan 2006, John M wrote:

> On the local GUI:
> > The more code, the more potential vulnerabilities,
>
> On remote access:
> > Web servers tend to increase the risk, as does any
> > remote technology.
>
> OK. But what is your recommendation to a fortune 500
> company? :)

If you *must* run a GUI, then lock it down and make the admins run it on
the local console.

> That is, if Coca-Cola wanted a unix based firewall and
> _wanted manage it trough a graphical interface_, what
> would you suggest? A X server running in a firewall
> sounds bad, but a web server or ssh server could be
> even worse (key logger on the management station or
> buffer overflow in the ssh or web daemon and both run
> as root, so to have permission to change the fw rules)

Out of band management (i.e. get off your posterior and walk to the
firewall) is always a winner for me.

I don't like remote access to my firewalls, but if I have to have it, then
it's got to be out of band (really out of band, not VLAN/crypto) if I get
to have my way.

> Besides the firewall, there´s a proxy running on the
> box too (as an unprivileged user), so the box could be
> compromised remotely trough it and the privilege
> escalated trough a X server vulnerability.

If you permission things well, then that should be a low chance.

> I mean, the ssh or web server port used to manage it
> could be vulnerable to a buffer overflow attack, so if
> only a specific IP (the admin) could connect to this
> port, it yet would be vulnerable, but nobody else
> could exploit it, except if they spoof the admin IP :)

If you can't trust your proxies, it's time to change proxies ;)

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact."
http://fora.compuwar.net Infosec discussion boards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards