> linux is a Good Move ... ceratinly, in its default state, it's at
> least as secure (when used as a firewall) as anything emanating from
> a certain purveyor of operating systems based near Seattle. It's
> cheaper, too!
Please note: Seattle is about 5000 miles from where I am, despite my
address, and I'm about fifteen times closer to Brian than I am to Bill. I
also make absolutely no comment (I'm explicitly not allowed to speak for
anyone but myself in a personal capacity) about the relative suitability of
linux and any other operating systems for hosting a firewall. I will make
one snide comment though --- Drawbridge ran very successfully on that
paragon of security MS-DOS before it was ported to FreeBSD, where it now
runs equally successfully 8-)
> Hey, I'm a security guru of a sort ... the idea is not to run
> anything which gives crackers a toehold, or causes unacceptable
> throttling of the firewall throughput.
Indeed. My advice is never to run anything on a firewall which you can't
prove to your complete satisfaction is absolutely necessary. Given that a
FW can be run on almost any old kit, you can hardly complain about hardware
costs. I used to run the aforementioned Drawbridge and MSDOS on a 386sx-16
with 4M RAM, a 40M disk and two cheap ISA 3Com cards. It was easily capable
of supporting a 10M ethernet with a couple of dozen machines behind it.
It may sound like paranoia --- it *is* paranoia --- but by being paranoid
you have a hope of resisting attacks no-one has yet thought of.
> Few of us know what code George has embedded in the code which
> computes the tag which PrimeNet uses to check that incoming results
> are genuine. However, this does not seem to present a major risk!
George is an honorable man, I'm sure, and has not knowingly put in any
loopholes. I'm equally sure that he's not infallible and that he will
freely admit to this. Do *you* want to bet the security of your site even
more than you are now doing?
> I've run mprime on an anonymous FTP server for almost 18 months &
> haven't had any incidents (yet). The basic rules are (a) always run
Ditto with NTprime. It really does seem to be a well-behaved program. Even
so, it doesn't run on my firewalls.
> All this is virtually paranoia since I believe the risk posed by
> running mprime is practically nil - but it's good practise, anyway.
Yup. Paranoia is a survival characteristic.
Paul
_________________________________________________________________
Unsubscribe & list info -- http://www.scruz.net/~luke/signup.htm
Mersenne Prime FAQ -- http://www.tasam.com/~lrwiman/FAQ-mers
