Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 20 Sep 1998 09:11:00 +0000 (GMT)
From:      Terry Lambert <tlambert@primenet.com>
To:        rotel@indigo.ie
Cc:        tlambert@primenet.com, sthaug@nethelp.no, hackers@FreeBSD.ORG, questions@FreeBSD.ORG
Subject:   Re: problem using 3 x znyx314 cards for 12 de ethernets
Message-ID:  <199809200911.CAA12904@usr06.primenet.com>
In-Reply-To: <199809200032.BAA05064@indigo.ie> from "Niall Smart" at Sep 20, 98 01:32:23 am

next in thread | previous in thread | raw e-mail | index | archive | help
> I'm not familiar with the orange book in any detail but suspect C2
> hardening would be of little more use than providing a checkbox in
> a feature list;  seeing C2 Solaris rooted by a standard exploit
> doesn't exactly engender confidence in the level of real-world security
> required for certification.

You are complaining about a certification issued as the result of a
bogus audit.

This is a different problem.

> > Otherwise,
> > griping about something that will never happen given a correctly
> > configured firewall, and which "fixing" will break a behaviour that
> > is universally known to be useful, seems a bit counter-productive.
> 
> Its unfortunate that useful and well-known features are often both
> insecure and acheiveable through secure means.  :)

You mean "unachievable", right?

> How about a compromise - no replies to broadcast ping's from outside
> the hosts subnet by default?

The IP stack should have discarded these before they got to that point,
since that is the point of a subnet mask.

If this isn't happening, then I agree that there's a bug, but it's
in this area, and not in the area of whether or not broadcast pings
should be replied to at all.


					Terry Lambert
					terry@lambert.org
---
Any opinions in this posting are my own and not those of my present
or previous employers.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199809200911.CAA12904>