[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Routing functionality
The vulnerability is that it's a service that doesn't need to be there, and installing services that don't need to be there in order to work around problems that exist elsewhere (e.g., internal addressing is such a mess that the firewall can't get by with a few static routes) is a bad idea. So you spend some time securing the service -- wouldn't that time be better spent in fixing the internal address space? As you said, there are no absolutes in security, and you can't be sure that your security measures will be effective. There was an interesting discussion on bugtraq a few months ago about how to break chroot jails in the context of WU's imapd. -- Jack Coates, Rainfinity SE t:m:On Mon, 11 Sep 2000, Brett Eldridge wrote: > > On Tue, 5 Sep 2000, Barry W. Kokotailo wrote: > > > You can probably run any routing protocol that the operating system > > supports. But the use of dynamic routing protocols on any firewall is > > a bad thing to do. > > why? if i protect the system, chroot the gated daemon, use strong hashes > for authentication, limit the ip addresses which can send updates, what is > the vulnerability? > > or are you just repeating what you have heard? > > there are no absolutes in security. > > - brett > > > > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|