Re: [fw-wiz] X server in a Firewall

John M wrote:
>My question was: what is better (or worse), taking in
>account the GUI requeriment

Well, OK, we're talking about which is the lesser of a set
of evils? You want a kind of "evil sort" algorithm? ;)


>- a local X window server running in the firewall, to be managed localy
>- or a web server, ssh based system
>- or another port based in aproprietary protocol, to be managed remotely?

Assuming you can assert adequate controls on the X server-based
solution, it's probably the least evil. For example, if you built a version
of X server that only works over a Unix domain socket and doesn't
even support network connections, it'd be about as good as you can
make anything that has X windows built in.

Web server-based systems are scary to me because the web
server writers are trapped in "penetrate and patch" mode and have
been there for a long time. Web servers are fairly evil in my world-view.
Again, you can do a fair bit to mitigate the risk by locking the web
server down, running it unprivileged, cutting its head off, sewing its
mouth shut with garlic in it, and hammering a stake through its
heart. Chrooting it helps, too. ;)

With all of these things you can and should be able to make an
argument that the risks have been mitigated. What terrifies
me is that those arguments are seldom made. Everyone is
stuck in this cluelessness from the 80's ("Sure, we use Apache,
but we fixed all the bugs") Fundamentally that's bad design.
If you know a component of your architecture has had structural
flaws, it's basic engineering to avoid using that component as
load-bearing unless you build in work-arounds.

mjr.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: write with cURL
    ... execute permissions. ... This is assuming that the PHP script runs ... of potential security risks from other users on the same server. ... web server itself is part of the group. ...
    (alt.php)
  • Re: web service architecture question
    ... To assume that we have all the security we will ever need is a bad one. ... ways to breach a server, and the separatin of the web and app server is one ... You can use remoting or web services. ... The web server will be exposed outside the ...
    (microsoft.public.dotnet.framework.webservices)
  • RE: System.Data.SqlClient "Timeout expired" causing ASP.net web applic
    ... There are many values here that can shutdown the aspnet_wp. ... > update tables on a Web Server running SQL Server 2000. ... > formation(DataSet currentBalances): Timeout expired. ...
    (microsoft.public.dotnet.languages.vb)
  • RE: System.Data.SqlClient "Timeout expired" causing ASP.net web applic
    ... There are many values here that can shutdown the aspnet_wp. ... > update tables on a Web Server running SQL Server 2000. ... > formation(DataSet currentBalances): Timeout expired. ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: System.Data.SqlClient "Timeout expired" causing ASP.net web applic
    ... There are many values here that can shutdown the aspnet_wp. ... > update tables on a Web Server running SQL Server 2000. ... > formation(DataSet currentBalances): Timeout expired. ...
    (microsoft.public.dotnet.framework.adonet)