Firewall/Router security (was Re: Minimal Install Option)

[Bill Anderson]

On Thu, 2003-08-21 at 14:52, Chris Ricker wrote:
> On Thu, 21 Aug 2003, Pekka Savola wrote:
> 
> > > and then join the OpenSSL / OpenSSH exploit train.... No, thanks!
> > 
> > I'm puzzled by this point.  These would be local vulnerabilities.  There 
> > will always be those, and it can be mitigated by keeping the system 
> > up-to-date.
> 
> Not so. They're remote exploits from anywhere which can connect to OpenSSH.

http://web.mit.edu/kerberos/www/advisories/
Kerberos has had it's "share" of security exploits as well. They include
remote compromise vulnerabilities.

Pretty much everything in this category can be said to have had these
kinds of problems. 

> > If you haven't heard, hosts.allow activates the access controls very, very 
> > early in the process.  You really can't exploit OpenSSH using that: 1) no 
> > SSH protocol processing happens before that, and 2) no input is received 
> > or processed before that.
> 
> a) tcp wrappers is circumventable. How easily depends on how it's 
> configured....
> b) you're still attackable from any place you list in hosts.allow, even if 
> tcp wrappers isn't being bypassed. firewalls can be attacked from inside as 
> well as from out....
> 
> *shrug* IMHO, it's worth the trouble to manage some firewalls out-of-band. 
> In yours, it's not. 

In some cases it simply isn't feasible. It is not feasible for example,
for me to fly halfway around the world just to do that.

So SSH and krb are optional install, clearly neither are *needed* to do
firewall/router stuff. We make them options available to be installed,
but *not* part of a minimal *mandatory* install.

-- 
Bill Anderson
RHCE #807302597505773
bill at noreboots.com