mailing list archives
Re: Cyberguard FW silliness
From: phzy () ANTIPLUR COM
Date: Mon, 6 Nov 2000 16:09:16 -0500
Art.Green () med ge com wrote:
Now, I'm not a MAC expert, but all but one of these seem quite obvious.
I tried accessing all of these using a unprivileged user and except for
the last item, could not read or write the files.
Absolutely. However, complete reliance upon any one aspect of an
operating system is a recipe for disaster. I equate this to a scenario
where an administrator has installed a web application atop a default
installation of an operating system riddled with known security
vulnerabilities, but feels safe because he's placed it behind a firewall
which filters everything but web traffic.
The underlying foundation upon which the application is
based is insecure! Should the firewall fail, the remaining portions of
the entire 'system' (meaning the OS + web application + firewall) would
not be able to withstand a direct attack. Although I agree
that MAC will provide you with reasonable assurance that
an attacker would not be able to write to these files, it does not
provide absolute assurance. If something does not provide absolute
assurance, it only makes sense to see what else could be done to
further protect yourself from intrusion.
Sent with Antiplur webmail: http://webmail.antiplur.com