Re: (RADIATOR) (Radiator)

Sun, 31 Oct 1999 19:29:33 -0800 

Hugh Irvine writes:
> On Sun, 31 Oct 1999, Scott Adkins wrote:
> > 
> > I would suggest a couple new features that would allow the above suggestion
> > from John work, similar to how Apache does it:
> > 
> >   <LIMIT>
> >     Order Deny,Allow
> >     AllowFrom <IP_PATTERN> <IP_PATTERN> ...
> >     DenyFrom <IP_PATTERN> <IP_PATTER> ...
> >   </LIMIT>
> > 
> > In any the case, keep security in mind when configuring your radius server,
> > even if you are sitting behind a firewall or router using filters.
> > 
> 
> Again IMHO - if you want to do filtering (and I really think you do), you
> should be running something like ip-filter at the kernel level and *everything*
> running on the box should be explicity listed in the filter config. Also,
> everything that isn't required on the box should be explicitly *turned off*.
> That way you know *exactly* what is running on the box and you know *exactly*
> what is allowed to access those services that are running.

Nope... this isn't a philosophy I care to believe in.  Yes, IP Filter *is*
a nice thing, but I don't believe that security should rely on IP Filter to
do all the work.  That is why TCP Wrappers exist, that is why xinetd has its
own access control, and that is also why SSH has its own access control.  I
believe security should be a multitiered philosophy.

Secondly, IP Filter doesn't run on as many types of OS's as Radiator will.  I
strongly urge you not to get trapped in shifting security responsibility away
from your product and onto the OS (which I doubt can ever be truly secure).

At this point, I am familiar enough with the code to know that it probably
would be hard to add some lines of code to deal with connections in a secure
manner.  If I get time, I will do it myself :-)

> Believe me - an ounce of prevention is worth *tons* of care ....

I totally agree... and that is why I believe Radiator should go that extra 
ounce to supplemant what security is already on the machine... not rely upon
it.

Thanks,
Scott
-- 
 +-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-+
      Scott W. Adkins                    http://www.cns.ohiou.edu/~sadkins/
   UNIX Systems Engineer                    mailto:[EMAIL PROTECTED]
        ICQ 7626282                     Work (740)593-9478 Fax (740)593-1944
 +-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-+
       CNS, HDL Center, Suite 301, Ohio University, Athens, OH 45701-2979

===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Reply via email to