Re: [fw-wiz] X server in a Firewall
- From: Chuck Swiger <chuck@xxxxxxxxxxx>
- Date: Tue, 24 Jan 2006 21:55:10 -0500
John M wrote:
> On remote access:
>> Web servers tend to increase the risk, as does any
>> remote technology.
>
> OK. But what is your recommendation to a fortune 500
> company? :)
>
> That is, if Coca-Cola wanted a unix based firewall and
> _wanted manage it trough a graphical interface_, what
> would you suggest? A X server running in a firewall
> sounds bad, but a web server or ssh server could be
> even worse (key logger on the management station or
> buffer overflow in the ssh or web daemon and both run
> as root, so to have permission to change the fw rules)
In terms of their security history, OpenSSH isn't perfect, but comparing it to
X11 is pretty amusing. Which one would you rather audit for poorly written
code, potentially exploitable buffer overflows, and other security vulnerabilities:
5-pi% cd /usr/ports/distfiles && ls -lh openssh-4.2p1.tar.gz xorg/X11R6*
-rw-r--r-- 1 root wheel 893K Sep 1 02:30 openssh-4.2p1.tar.gz
-rw-r--r-- 1 root wheel 31M Feb 25 2005 xorg/X11R6.8.2-src1.tar.gz
-rw-r--r-- 1 root wheel 3.8M Feb 25 2005 xorg/X11R6.8.2-src2.tar.gz
-rw-r--r-- 1 root wheel 9.9M Feb 25 2005 xorg/X11R6.8.2-src3.tar.gz
...?
--
-Chuck
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- References:
- Re: [fw-wiz] X server in a Firewall
- From: John M
- Re: [fw-wiz] X server in a Firewall
- Prev by Date: Re: [fw-wiz] RE: In defense of non standard ports
- Next by Date: Re: [fw-wiz] X server in a Firewall
- Previous by thread: Re: [fw-wiz] X server in a Firewall
- Next by thread: Re: [fw-wiz] X server in a Firewall
- Index(es):
Relevant Pages
|
