OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
FreeBSD Security Archives: Re: kern.securelevel and X

Re: kern.securelevel and X

Justin Wells (jreadsemiotek.com)
Sat, 16 Oct 1999 05:47:52 -0400

On Sat, Oct 16, 1999 at 04:50:18AM -0400, Mike Nowlin wrote:
>
> > But I don't think FreeBSD has that capability. I haven't seen any
> > mention of a FreeBSD aperture driver, not even in vaporware form.
> > Maybe people just don't realize such a thing is possible?
>
> ...not really sure I should bring this up, but.......
>
> My belief is that if you feel the necessity to run a machine (especially a
> production box) under a higher secure level, you should not be using that
> box for "general user uses", including X. With the prices of fast
> ethernet and motherboards these days, there's no reason why you can't make
> a workstation for general use that doesn't really mind getting trashed if
> somebody breaks in -- restore a backup tape, and you're ready to go.
> Diskless workstations (slaved off the high-security machine) comes to
> mind...

I don't agree with this at all. Workstations are important targets for
attackers, since if you can breach a workstation, you can probably
infiltrate any server that the user of the workstation connects to.
You can sniff passwords, capture TTY's, hijaack SSH sessions, find
paths through firewalls... never assume that you would know if an
attacker broke in.

You might say that the workstations could all sit behind a firewall so
that nobody could access it, but many people find it convenient to
have their workstations accessible to the outside world.

While you might be able to get away with less, I think there is a
clear use case for a "network secure" workstation.

Justin

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

This archive was generated by hypermail 2.0b3 on Sat Oct 16 1999 - 04:47:19 CDT