On Fri, Feb 21, 2003 at 09:15:50AM -0800, Jim Reid wrote: > >>>>> "Ed" == Ed Sawicki <[EMAIL PROTECTED]> writes: > > Ed> I want my systems to be as secure from attack as possible. To > Ed> me, this means never allowing both functions to be provided by > Ed> the same codebase. > >> Fine. But by the same reasoning, you wouldn't want to provide > >> both functions on the same box. > > Ed> I can run both processes in the same computer safely because > Ed> each is running as a different non-root user and each is > Ed> chrooted to a different place in the file system. If I'm > Ed> really paranoid, I can run each in its own Linux virtual > Ed> machine (UML) - all the while using only one IP address. > > So what? The stuff is still on just one box. You've still got all your > eggs in one basket. Albeit a basket with fancy padded compartments. All > this software ring-fencing isn't going to help if the CPU catches fire > or someone trips over the power cable and disconnects it, etc, etc.
Sure, there is a large set of problems that the "padded compartments" won't address. Doesn't invalidate the idea, since there is also a real value to having small highly separable components that are individually easier to validate and secure. There are numerous failure modes, and numerous tradeoffs. In some environments IP addresses are scarce, and one develops the habit of being very conservative in their use. Kent #---------------------------------------------------------------------- # To unsubscribe, send a message to <[EMAIL PROTECTED]>.
