Mike Sensney wrote:
>
> At 12:26 PM 06/14/2001 -0500, David Douthitt wrote
> Windows users who don't know Linux/ipchains should just skip installing a
> LEAF firewall since it will add no protection? Well, that will simplify
> things a lot for the new users page. "You don't know Linux? Don't use a
> Linux based firewall!" :-)
Oh, I see...... I guess my feelings run a little strong against the
idea of treating computers as "buy-and-forget" appliances, especially
when it comes to security. Anyone who's been around in arenas as
diverse as law and copy-protection knows: there are flaws in the
system and human beings will find them. You may be secure and safe
now; tomorrow somebody will find a way in.
> >1. Too many variables: do you want a VPN? Shell access? Proxy?
> >DMZ? Web Cache? Web server? SNMP? Web statistics? Name services?
> >DHCP?
>
> How many of these services are going to be needed by a newbie for a
> first time setup?
VPN: possibly. Shell access: almost certainly. Proxy: very
possibly. DHCP: client almost certainly; server possibly.
> >2. Insecurities are constantly being discovered - a solid protected
> >system will be a security risk in six months.
>
> How many insecurities have been discovered in the EigerStein2 since its
> release? For that matter, how many people are still using 2.9.4 or even
> 2.9.3 LRP releases that have never been updated? And how hard is it to
> hack one of these boxes if it is running as a basic system, meaning no
> extra daemons on them that are exposed to the Internet?
Compromises have been found in traceroute, glibc, BIND, DHCP clients,
and NTP since it came out. Until it was updated recently, all were
still present as I understand it. All of these remain present in LRP
I believe.
Consider even Linux 2.4 - which hasn't been out long - but already
there was found a security flaw in FTP sessions going through
iptables.
All of these security flaws have been fixed, but fixes need to be
propogated into the distributions.
This idea of constantly discovered new security flaws is also a very
good reason to go to glibc 2.1 and even more so, to glibc 2.2 - glibc
2.0 is no longer being updated. Any newly discovered security holes
will NOT be fixed.....
> Still, a point well taken. It probably would be wise to institute an
> advisory list for package updates and security issues.
A very good idea - and very possibly, a good place for LEAF: to
coordinate package updates, system updates, etc.
> >Anyway.... that's my point. However, this point of view shows my
> >biases too - I do NOT want someone to tell me "push that button, it
> >works" - my first question then is "WHY does it work?" and "HOW does
> >it work?" Unfortunately, this gets me into trouble when I start
> >explaining technical stuff to non-technical people :-)
>
> Nothing wrong with your view point. That is why Oxygen is such a good
> product. (The LEAF Army Knife tm) By the same token, it is also intended for
> the more advanced user. And it shows in the stats. Your stuff gets
> downloaded a lot, yet few questions are being asked on how to use it. Must
> mean they don't need the hand holding. :-)
I see! One of the things I keep in the back of my mind is I want
Oxygen to work just like Real UNIX(tm) - which is a second reason why
vi is the default editor - but being a vi nut helps too :-)
However, even with my bias, it doesn't mean things have to be hard to
use, and I am a firm believer in ease of use - I just don't want "ease
of use" to get translated to "don't worry, we'll take care of
everything, we know what we're doing" as some corporations have done
in the past.... I want to be able to muck things up :-)
I would say, it was partly this bias of mine that lead me to corrupt
LRP so :-) as well as a view of "well, its broken - so let's fix it."
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel
