OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ben Laurie (benALGROUP.CO.UK)
Date: Tue Mar 06 2001 - 03:05:32 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Perry Harrington wrote:
    >
    > I don't think the behavior should change because of DSR. DSR is more useful
    > than 'rightness' in my opinion. A switch to turn it off if you don't want it is
    > something I'd advocate, but the default should be 'on'.

    The FreeBSD guys are making the behaviour switchable with a sysctl, I
    believe. However, the default position should clearly be strong, not
    weak - people who want weak are rare and really ought to know what
    they're doing. POLA dictates that "internal" routing should not occur
    when routing is disabled. Further, there's no circumstance I can think
    of where it makes sense to route 127/8 from an external interface! That
    behaviour should not be switchable.

    Cheers,

    Ben.

    >
    > --Perry
    >
    > On Mon, Mar 05, 2001 at 06:18:33PM -0800, ddowneymail.hislinuxbox.net wrote:
    > > On Mon, 5 Mar 2001, Perry Harrington wrote:
    > >
    > > > In short, yes security through obscurity is dumb, but calling for people to change
    > > > this functionality is unwarranted when machines can be firewalled.
    > > >
    > >
    > >
    > > Actually to me this sounds more like an excuse NOT to fix the problem
    > > simply because it's "industry standard".
    > >
    > > Sometimes standards need to be looked at and revamped. In this case it's
    > > one that would affect the industry as a whole. Are you calling for
    > > advisories only simply because the workload would be tremendous or because
    > > you truly believe that fixing this would affect nothing?
    > >
    > >
    > > ---
    > > David D.W. Downey - RHCE
    > > Consulting Engineer
    > > Ensim Corporation
    > > david.downeyensim.com
    > >
    > >
    >
    > --
    > Perry Harrington Director of zelur xuniL ()
    > perry at webcom dot com System Architecture Think Blue. /\
    >
    > ------------------------------------------------------------------------
    > Part 1.2Type: application/pgp-signature 

    --
http://www.apache-ssl.org/ben.html

    "There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

    ApacheCon 2001! http://ApacheCon.com/