[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: hurd does NOT need /hurd

On Tue, May 21, 2002 at 06:12:00AM +1000, Anthony Towns wrote:
> On Mon, May 20, 2002 at 12:13:41PM -0700, Thomas Bushnell, BSG wrote:
> > 1. Debian does not have firewalling by default, so if firewalling is
> > necessary for security, then it is not secure by default.
> It does: it has spoof protection enabled and forwarding disabled by
> default.  

That's not firewalling. For all we know, hurd might not even be able to
forward packages. </joke> But that doesn't mean it's firewalled. And the
linux spoof protection is more harmful than beneficial in many cases,
and should hardly be considered the gold standard of hurd's

> In any event, default behaviour isn't the issue: it's whether
> or not you have any real control over your network interfaces.

I'm sure hurd has fundamental control: if they don't want someone
connecting to a hurd box, they won't run any network servers. 

> > 2. Firewalling is not actually an asset in network security; the
> > notion that it is is misguided and thoroughgoingly erroneous.
> That's the most bizarre statement I've seen for at least an hour.

It's also correct, from a certain point of view. </obi-wan> There is a
school of thought that firewalls are only useful if you are trying to
protect network services that you can't secure properly. You might
disagree, but there is a certain truth. What does a firewall really do?
It blocks packets. Why does it block packets? To keep the packets from
doing something bad. If you trust the software on your machine not to do
something bad, regardless of what packets it recieves, what does the
firewall add? More importantly, for this school of thought, is the fact
that firewalls offer a false sense of security. If you *don't* trust the
software running on your machine, why are your running in the first
place? What if your firewall breaks? What if a "trusted" host launches
an attack? The only real security is to trust your network-attached
hosts--a firewall can't fix a broken system. You might argue for defense
in depth, even if you do trust the software on your machine (heck, I
might argue for defense in depth :) but unfortunately that's not the
reason many firewalls are deployed.

Mike Stone

Attachment: pgpbf0GNcB_rZ.pgp
Description: PGP signature

Reply to: