On Mon, 7 May 2001, Alvin Oga wrote:
> and yes,... i've heard many reasons NOT to run anything on the
> firewall.... its NOT that i've NOT heard... i also contend that
> there are just as similar numbers of ipchains and kernel exploits that
> could still exists on the firewall even w/o bind.....
> - more apps you add on the firewall..than more likely
> to have more exploits than otherwise w/o those apps
>
> and adding bind may or may not compound the possible exploits
> -- just epends on their network and budget and resources..
For any application other than BIND, WU-ftpd, and about 3 or 4 others,
that would be a true statement. BIND has shown with at least v4 & v8 that
adding it significantly compounds the vulnerability of any system its
installed on.
(Damn the new century- "Sendmail of the '90's" had such a nice ring...)
> as of today .... i would suspect that 2.4.4 kernel w/ bind-8.2.3
> is NOT that bad of an option if one has only 2 boxes that they
8.2.4-T2B includes
fixed file descriptor leak in resolver.
and:
numerous bug fixes.
2.2.4 is way too new for serious security work- there's no way to have
tested it rigorously thus far.
> security is only as good as the weakest link...
The weakest link simply needs to be stronger than what's attacking the
chain.
If we're doing quotes...
"Perfect is the enemy of good enough."
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
