Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)

From: John Rowan Littell (littejo@earlham.edu)
Date: 11/05/01


Date: Mon, 5 Nov 2001 16:58:47 -0500
From: John Rowan Littell <littejo@earlham.edu>
To: focus-sun@securityfocus.com
Subject: Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)
Message-ID: <20011105165845.G10644@earlham.edu>


Lo, Fabrice Bacchella and the coffee pot sang in unison:
> I always had a bad feeling about tcpwrappers, it can only protect a few
> daemons, those running with inetd and those willing to do so. That's
> little user against a hackers, how will just try something else. Try
> something like ipf instead, you can protect every service running on
> your machine.

Regardless of the applicability of this to SunCluster, I might
actually disagree here. There's no harm, in my mind, to adding an
_extra_ layer of security around a service. I'm not suggesting that
one forego ipf, but I am suggesting that it be used in combination
with tcpwrappers. If the processing overhead is minimal, throw as
much protection at the service as you can.

Note also that there's plenty of non-Sun specific software that can
use tcpwrappers without having to be in inetd -- the libwrap library
is for use by any service, anywhere, as long as you modify the source
to support it.

  --rowan

-- 
John "Rowan" Littell
Systems Administrator
Earlham College Computing Services