----- Original Message -----
| Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? And,
| would
| you care strongly if it went away (or would you just migrate to
| something
| else)?
| 

Yes, we do use TCP Wrappers.  We also use IPTables, edge gateway firewalls, 
VPNs and other tools.  The reason that we use them is to support additional 
security.

The case is being made to remove a tool that is considered to be legacy.  While 
it is understood that legacy = old/unmaintained/crap, it does remove an 
additional layer of security that can be applied for a base system.  So the 
question then is, what can be used as a suitable replacement?  If so what is 
that suitable replacement?  If one doesn't exist, how long until we can get one?

Security is about layering technology.  IPTables doesn't solve all of the 
problems out there.  People mentioned NFSv3 and moving to NFSv4 and while this 
may be suitable for some people it doesn't apply to others.  To simply remove a 
tool because it's code hasn't been modified in X number of 
days,months,years,decades is really in many cases what I like to call "version 
envy".

I'd love to hear about the "old and unmaintainable code".  It's open source 
code.  If somethings broken you can fix it right!?! That's the open source 
mantra!  Either provide a set of reasons why it should be removed and the 
alternatives that cover all the use cases of TCP Wrappers or let the code, that 
obviously works remain there undisturbed.  It's an extra layer of security that 
administrators can use to secure their systems and it's dead simple to 
understand!



-- 
James A. Peltier
Manager, IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone   : 778-782-6573
Fax     : 778-782-3045
E-Mail  : jpelt...@sfu.ca
Website : http://www.sfu.ca/itservices

"Around here, however, we don’t look backwards for very long.  We KEEP MOVING 
FORWARD, opening up new doors and doing things because we’re curious and 
curiosity keeps leading us down new paths." - Walt Disney
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Reply via email to