Re: tcpwrapped rpcbind/portmap?
From: Trevor Fiatal (trevor@seven.com)Date: 08/22/01
- Previous message: Doug Hughes: "Re: tcpwrapped rpcbind/portmap?"
- In reply to: Reg Quinton: "Re: tcpwrapped rpcbind/portmap?"
- Next in thread: Vladimir Ivanov: "Re: tcpwrapped rpcbind/portmap?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <3B82E764.14025BE7@seven.com> Date: Tue, 21 Aug 2001 15:57:40 -0700 From: Trevor Fiatal <trevor@seven.com> To: Reg Quinton <reggers@ist.uwaterloo.ca> Subject: Re: tcpwrapped rpcbind/portmap?
Reg Quinton wrote:
>
> > Absolutely. The lack of ACL enforcement within the stock Solaris
> > rpcbind make its use problematic in a security-sensitive environment.
>
> I'd guess you're better off to have the filtering done at a lower level
> in the IP stack and not require that each service implement it's own
> filtering.
Yes, IPfilter built as a 64-bit LKM is certainly one line of defense.
Concerns have been raised about the performance impact of using an
IPfilter LKM with Solaris, and on top of that it's an additional
package to maintain across all of one's systems, as opposed to an
incremental feature in an existing package.
In any case, as noted by Geoff Collis in another message within this
thread it is sometimes desirable to have multiple layers performing the
same security functions (ACL checking in this case) in order to decrease
the probability of failure.
-Trevor
-- Trevor Fiatal -- trevor@seven.com -- http://www.seven.com/ Co-Founder Seven 510.967.4556 (work/mobile) 510.401.8054 (vmail/fax)
- Previous message: Doug Hughes: "Re: tcpwrapped rpcbind/portmap?"
- In reply to: Reg Quinton: "Re: tcpwrapped rpcbind/portmap?"
- Next in thread: Vladimir Ivanov: "Re: tcpwrapped rpcbind/portmap?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
