Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: X server in a Firewall

Re: X server in a Firewall

From: R. DuFresne <dufresne_at_sysinfo.com>
Date: Fri, 27 Jan 2006 16:55:27 -0500 (EST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 24 Jan 2006, Chuck Swiger wrote:

> John M wrote:
>> On remote access:
>>> Web servers tend to increase the risk, as does any
>>> remote technology.
>>
>> OK. But what is your recommendation to a fortune 500
>> company? :)
>>
>> That is, if Coca-Cola wanted a unix based firewall and
>> _wanted manage it trough a graphical interface_, what
>> would you suggest? A X server running in a firewall
>> sounds bad, but a web server or ssh server could be
>> even worse (key logger on the management station or
>> buffer overflow in the ssh or web daemon and both run
>> as root, so to have permission to change the fw rules)
>
> In terms of their security history, OpenSSH isn't perfect, but comparing it to
> X11 is pretty amusing. Which one would you rather audit for poorly written
> code, potentially exploitable buffer overflows, and other security vulnerabilities:
>
> 5-pi% cd /usr/ports/distfiles && ls -lh openssh-4.2p1.tar.gz xorg/X11R6*
> -rw-r--r-- 1 root wheel 893K Sep 1 02:30 openssh-4.2p1.tar.gz
> -rw-r--r-- 1 root wheel 31M Feb 25 2005 xorg/X11R6.8.2-src1.tar.gz
> -rw-r--r-- 1 root wheel 3.8M Feb 25 2005 xorg/X11R6.8.2-src2.tar.gz
> -rw-r--r-- 1 root wheel 9.9M Feb 25 2005 xorg/X11R6.8.2-src3.tar.gz

Still missing a good chuck of ssh in there, where's the openssl tarball?
Granted not as large as the X tarballs, but, folks should never have the
impression that ssh stands alone. In fact there are a few more tarballs
that should be in this mix, zlib, and likely a few crypto ones as well.

While still lopsided in code weight, not as lopsided as making the erros
that ssh is a stand alone....

Thanks,

Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant: sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFD2pbSst+vzJSwZikRAmLEAKCyy+xfG6dXqyPc6eph78bn92GRzACeMsRc
xoyrUOzQagEzSdsU7C+sVoU=
=FvEb
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Feb 01 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]