Well, there are lies, damn lies and statistics.
Could it be that Exim is embedded in some popular product that makes
them come out on top?
On 10/24/23 18:34, Ricardo Prudenciato via lpi-examdev wrote:
Regarding 202, I only have a point regarding 211.1.
Have you considered increasing the coverage of Exim (or have a
subtopic for), since it's being widely used? This can be seen in this
report
<http://www.securityspace.com/s_survey/data/man.202309/mxsurvey.html>.
The points raised about DNSsec and OpenVPN are interesting but I leave
it to those who have worked more directly with this.
Regards,
Ricardo Prudenciato
On Tue, Oct 24, 2023 at 10:42 AM Bryan Smith via lpi-examdev
<[email protected]> wrote:
Last time I checked, Wireguard's crypto is grossly inefficient for
US NIST FIPS compliance, and forces specific ciphers for speed.
OpenVPN allows the administrators to choose ciphers, and this
includes being Linux kernel FIPS mode compatible.**
In the US, even commercially, US NIST Cybersecurity Maturity Model
Certification (CMMC) v2.0, along with existing US NIST 800-171
(especially updated revision 2), are hitting hard. And outside of
US NIST, many entities (internationally) also follow US DISA
Security Technical Implementation Guides (STIGs), which also
enable FIPS. I can also go into VISA et al. compliance, like DSS PCI.
So ... while I'm not saying US NIST FIPS, CMMC 2.0 and other
compliance should eliminate something from consideration ... it
should bolster considerations to not drop something, in favor of
something else that is not compliant.
- bjs
**P.S. For those unaware, when you put the Linux kernel in FIPS
mode, which is a boot-time setting (can check run-time here
/proc/sys/crypto/fips_enabled), it's not that libraries are
disabled. No, the kernel itself stomps on any insecure
crypto call, even if the library is enabled. It's the one thing
that most people are unaware of when they first run into it. I
even, recently called nVidia out for this for ignoring it for
nearly the past four (4) years with countlessly forum posts (over
100) and several tickets, when it comes to some of their CUDA
userspace packages.
RE:
https://www.linkedin.com/feed/update/urn:li:activity:7118774386890866688/
On Tue, Oct 24, 2023 at 9:10 AM Simone Piccardi via lpi-examdev
<[email protected]> wrote:
On 23/10/23 19:43, Fabian Thorns via lpi-examdev wrote:
> - Objective 212.5 now covers VPN in a more generic fashion
and Wireguard
> instead of OpenVPN
>
Why remove OpenVPN? At least in my experience is more common
used (as
supported from more firewall appliance) than Wireguard to connect
clients to remote networks.
Simone
--
Simone Piccardi Truelite Srl
[email protected] (email/jabber) Via Monferrato, 6
Tel. +39-347-1032433 50142 Firenze
http://www.truelite.it Tel.
+39-055-7879597
_______________________________________________
lpi-examdev mailing list
[email protected]
https://list.lpi.org/mailman/listinfo/lpi-examdev
--
--
Bryan J Smith - http://www.linkedin.com/in/bjsmith
E-mail: b.j.smith at ieee.org <http://ieee.org> or me at
bjsmith.me <http://bjsmith.me>
_______________________________________________
lpi-examdev mailing list
[email protected]
https://list.lpi.org/mailman/listinfo/lpi-examdev
_______________________________________________
lpi-examdev mailing list
[email protected]
https://list.lpi.org/mailman/listinfo/lpi-examdev
--
Jeroen Baten | EMAIL :[email protected]
____ _ __ | web :www.i2rs.nl
| )|_)(_ | tel : +31 (0)648519096
_|_/_| \__) | Frisolaan 16, 4101 JK, Culemborg, the Netherlands
_______________________________________________
lpi-examdev mailing list
[email protected]
https://list.lpi.org/mailman/listinfo/lpi-examdev
