Firewall Wizards mailing list archives

Re: X server in a Firewall

From: "Paul D. Robertson" <paul () compuwar net>
Date: Tue, 24 Jan 2006 19:31:10 -0500 (EST)

On Tue, 24 Jan 2006, John M wrote:

Taking in account that a graphical interface is a
requirement, from a risk standpoint, what is the
problem in running a X server (using local IPC, no
external port) in an unix based firewall box to manage
it (using a gtk interface, for exemple)?


There's quite a bit of risk, depending on the system, its configuration 
and who's in front of it.  Not too facetiously, the biggest risk of a GUI 
is that idiots will think they can administer the firewall ;)

The more code, the more potential vulnerabilities, the more GUI the more 
likely surfing from the firewall will happen, etc.

Managing it trough a ssh port (or a web interface or
another  port used by a proprietary console) wouldn't
increase the risk? since the ssh daemon (or web


Web servers tend to increase the risk, as does any remote technology.
I know it's old fashioned to expect people to get off their behinds to 
manage their firewalls, but remote access increases your risk 
significantly and really shouldn't be a big factor (if you're chaning 
rulesets that much, you're doing something wrong.)

server, etc) could be vulnerable and, even if is only
accepting connections from a specific IP, someone on
internal network could do ARP spoofing or something.


Ideally your authentication requires more than just an IP address to 
validate...

Besides this, the box managing the firewall could have
a key logger installed. (I know, in an ideal
world...).


Indeed, that's why console-only access is the best method.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
http://fora.compuwar.net      Infosec discussion boards 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

X server in a Firewall John M (Jan 24)
- Re: X server in a Firewall Paul D. Robertson (Jan 24)
  - Re: X server in a Firewall John M (Jan 24)
    - Re: X server in a Firewall Paul D. Robertson (Jan 24)
    - Re: X server in a Firewall Brian Loe (Jan 24)
    - Re: X server in a Firewall Paul D. Robertson (Jan 24)
    - Re: X server in a Firewall Chuck Swiger (Jan 24)
    - Re: X server in a Firewall Marcus J. Ranum (Jan 24)
    - Re: X server in a Firewall Cat Okita (Jan 24)
    - Re: X server in a Firewall John M (Jan 24)
    - Re: X server in a Firewall Marcus J. Ranum (Jan 24)
    - Re: X server in a Firewall Peter Bruderer (Jan 25)

(Thread continues...)