[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: hurd does NOT need /hurd

On Mon, May 20, 2002 at 12:13:41PM -0700, Thomas Bushnell, BSG wrote:
> "John H. Robinson, IV" <jhriv@ucsd.edu> writes:
> > Debian (using a linux, bsd, or gnumach/l4 (micro)kernel) should be
> > ``Secure by default.'' if this means that no firewalling -> no debian
> > release, then so be it.
> Except:
> 1. Debian does not have firewalling by default, so if firewalling is
> necessary for security, then it is not secure by default.

Valid point; perhaps we should fix it. Probably a long undertaking.

> 2. Firewalling is not actually an asset in network security; the
> notion that it is is misguided and thoroughgoingly erroneous.

I hope you meant to say "automatically" rather than "actually", or, as
a professional network engineer, I'm going to have to hurt myself laughing
at you.

Firewalling is *not* automatically a benefit, any more than having locks on
your car is a benefit to prevent theft. You also need a key, and you need
to *use* the locks... but if you're really trying to claim that the use of
configured firewalling (even 'configured to defaults') is not useful to
network security, then you are making an assertion that runs counter to the
vast majority of both research and field experience on the topic.

Rule #1: attackers cannot attack what they cannot reach. Firewalls are not
perfect; they can be misconfigured, disabled, and in some cases (which do
apply to Debian), machine-based firewalls can have bugs in the firewalling
code which expose parts of the machine despite the firewall, or machines
behind the firewall. But I'll take a 99% reduction in attack vectors any
day of the week, thanks.

> 3. Picking some random kernel feature and saying "this must be there
> or it can't be Debian" is not appropriate.  That's just not how policy
> works.

I can't comment usefully on this, so I won't.
Joel Baker                           System Administrator - lightbearer.com
lucifer@lightbearer.com              http://users.lightbearer.com/lucifer/

To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: