Firewall Wizards mailing list archives
Re: X server in a Firewall
From: "Paul D. Robertson" <paul () compuwar net>
Date: Tue, 24 Jan 2006 19:31:10 -0500 (EST)
On Tue, 24 Jan 2006, John M wrote:
Taking in account that a graphical interface is a requirement, from a risk standpoint, what is the problem in running a X server (using local IPC, no external port) in an unix based firewall box to manage it (using a gtk interface, for exemple)?
There's quite a bit of risk, depending on the system, its configuration and who's in front of it. Not too facetiously, the biggest risk of a GUI is that idiots will think they can administer the firewall ;) The more code, the more potential vulnerabilities, the more GUI the more likely surfing from the firewall will happen, etc.
Managing it trough a ssh port (or a web interface or another port used by a proprietary console) wouldn't increase the risk? since the ssh daemon (or web
Web servers tend to increase the risk, as does any remote technology. I know it's old fashioned to expect people to get off their behinds to manage their firewalls, but remote access increases your risk significantly and really shouldn't be a big factor (if you're chaning rulesets that much, you're doing something wrong.)
server, etc) could be vulnerable and, even if is only accepting connections from a specific IP, someone on internal network could do ARP spoofing or something.
Ideally your authentication requires more than just an IP address to validate...
Besides this, the box managing the firewall could have a key logger installed. (I know, in an ideal world...).
Indeed, that's why console-only access is the best method. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." http://fora.compuwar.net Infosec discussion boards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- X server in a Firewall John M (Jan 24)
- Re: X server in a Firewall Paul D. Robertson (Jan 24)
- Re: X server in a Firewall John M (Jan 24)
- Re: X server in a Firewall Paul D. Robertson (Jan 24)
- Re: X server in a Firewall Brian Loe (Jan 24)
- Re: X server in a Firewall Paul D. Robertson (Jan 24)
- Re: X server in a Firewall John M (Jan 24)
- Re: X server in a Firewall Chuck Swiger (Jan 24)
- Re: X server in a Firewall Marcus J. Ranum (Jan 24)
- Re: X server in a Firewall Cat Okita (Jan 24)
- Re: X server in a Firewall John M (Jan 24)
- Re: X server in a Firewall Marcus J. Ranum (Jan 24)
- Re: X server in a Firewall Peter Bruderer (Jan 25)
- Re: X server in a Firewall Paul D. Robertson (Jan 24)