On Thu, 11 Sep 2003, Michel Py wrote: > > Pekka Savola wrote: > > Then you have to first compromise the system concerned, going > > through all the other protections. > > Before you hack the box to circumvent the hosts.allow you still have > > to ... well, hack the box! An interesting chicken and egg problem, no? > > Never heard of a joe-job from the inside?
Of course.. > You might have a 30-second > window at the host console while nobody is looking, enough to vi the > hosts.allow file, not enough to reconfigure the system. I have seen a > case of someone that got hired as a janitor and that spent weeks typing > a file one line per day. Hacking a network is 50% social engineering and > penetrating the physical defenses, 45% luck, 5% technical; most of the > time the moles you get in the inside are not top-notch engineers. .. which is why I didn't advocate this for _single_ protection, and which is why local addressing should not be used as a _single_ protection. Having to hack e.g. 3 different boxes to get around an access control is a no longer so simple. > > In the same vein, one could say that using local addresses gives > > no protection because you could just (as root) add a global address > > on the box. > > Does not do any good if you don't reconfigure the router. If you don't want a host to talk to the outside world at all, even though it has global addresses, you don't need to allow anything at all in the router -- you can block hosts completely. Hence there is no difference here. I think it should be possible to conclude that there seems to be no significant difference, security-wise, whether you use local addressing or not (well, I might argue that using local addressing is less secure, but I'll be generous). The similar level of security can be easily achieved otherwise as well. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
