Date: Sat, 16 Oct 1999 05:47:52 -0400 From: Justin Wells <jread@semiotek.com> To: Mike Nowlin <mike@argos.org> Cc: Steve Reid <sreid@sea-to-sky.net>, "Rashid N. Achilov" <shelton@sentry.granch.ru>, freebsd-security@FreeBSD.ORG Subject: Re: kern.securelevel and X Message-ID: <19991016054752.A48505@fever.semiotek.com> In-Reply-To: <Pine.LNX.4.05.9910160444510.25028-100000@jason.argos.org> References: <19991015133335.A410@grok.localnet> <Pine.LNX.4.05.9910160444510.25028-100000@jason.argos.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Oct 16, 1999 at 04:50:18AM -0400, Mike Nowlin wrote: > > > But I don't think FreeBSD has that capability. I haven't seen any > > mention of a FreeBSD aperture driver, not even in vaporware form. > > Maybe people just don't realize such a thing is possible? > > ...not really sure I should bring this up, but....... > > My belief is that if you feel the necessity to run a machine (especially a > production box) under a higher secure level, you should not be using that > box for "general user uses", including X. With the prices of fast > ethernet and motherboards these days, there's no reason why you can't make > a workstation for general use that doesn't really mind getting trashed if > somebody breaks in -- restore a backup tape, and you're ready to go. > Diskless workstations (slaved off the high-security machine) comes to > mind... I don't agree with this at all. Workstations are important targets for attackers, since if you can breach a workstation, you can probably infiltrate any server that the user of the workstation connects to. You can sniff passwords, capture TTY's, hijaack SSH sessions, find paths through firewalls... never assume that you would know if an attacker broke in. You might say that the workstations could all sit behind a firewall so that nobody could access it, but many people find it convenient to have their workstations accessible to the outside world. While you might be able to get away with less, I think there is a clear use case for a "network secure" workstation. Justin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991016054752.A48505>