From owner-freebsd-questions  Sat Sep 19 17:40:30 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id RAA28892
          for freebsd-questions-outgoing; Sat, 19 Sep 1998 17:40:30 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from indigo.ie (ts05-026.dublin.indigo.ie [194.125.220.36])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA28771;
          Sat, 19 Sep 1998 17:39:36 -0700 (PDT)
          (envelope-from rotel@indigo.ie)
Received: (from nsmart@localhost)
	by indigo.ie (8.8.8/8.8.7) id BAA05064;
	Sun, 20 Sep 1998 01:32:23 +0100 (IST)
	(envelope-from rotel@indigo.ie)
From: Niall Smart <rotel@indigo.ie>
Message-Id: <199809200032.BAA05064@indigo.ie>
Date: Sun, 20 Sep 1998 01:32:23 +0000
In-Reply-To: <199809180311.UAA00693@usr04.primenet.com>; Terry Lambert <tlambert@primenet.com>
Reply-To: rotel@indigo.ie
X-Files: The truth is out there
X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96)
To: Terry Lambert <tlambert@primenet.com>, rotel@indigo.ie
Subject: Re: problem using 3 x znyx314 cards for 12 de ethernets
Cc: sthaug@nethelp.no, hackers@FreeBSD.ORG, questions@FreeBSD.ORG
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Sep 18,  3:11am, Terry Lambert wrote:
} Subject: Re: problem using 3 x znyx314 cards for 12 de ethernets
> > These are different issues, someone can be partly responsible for
> > a smurf attack without ever realising it and (more importantly)
> > without _their_ security/quality of service being compromised.  I
> > don't care how many boxes get hacked as long as they aren't mine,
> > but it's reasonable to complain about a configuration which makes
> > it too easy for script kiddies to exploit the ineptitude or
> > carelessness of admins to affect _other_ competant and careful
> > admins boxes.
> > 
> > It's akin to shipping sendmail with open relaying.
> 
> If you want a C2 hardened system, quit pussyfooting around and start
> addressing the real issues leading up to C2 certification.

I'm not familiar with the orange book in any detail but suspect C2
hardening would be of little more use than providing a checkbox in
a feature list;  seeing C2 Solaris rooted by a standard exploit
doesn't exactly engender confidence in the level of real-world security
required for certification.

> Otherwise,
> griping about something that will never happen given a correctly
> configured firewall, and which "fixing" will break a behaviour that
> is universally known to be useful, seems a bit counter-productive.

Its unfortunate that useful and well-known features are often both
insecure and acheiveable through secure means.  :)

How about a compromise - no replies to broadcast ping's from outside
the hosts subnet by default?


Niall

-- 
Niall Smart, rotel@indigo.ie.
Amaze your friends and annoy your enemies:
echo '#define if(x) if (!(x))' >> /usr/include/stdio.h

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message