[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: secure installation

On Fri, Aug 17, 2007 at 09:41:41AM -0400, Celejar wrote:
> On Thu, 16 Aug 2007 16:49:36 -0700
> Russ Allbery <rra@debian.org> wrote:
> [snip]
> > Firewalls are good in the situation where, whenever you open up new
> > network access, you want to have to make that choice independently in
> > multiple locations.  I'm dubious that this matches the desires of the
> > average user or that forcing them to do this will really result in more
> > security as opposed to further training to just always click Okay.  It's
> > great for administrators who want paranoid control over such things.
> I'm no security expert, but I would suggest that a benefit of
> 'Personal' firewalls is the provision of a simple, systematic way of
> restricting access to services.  Yes, many apps offer some way of doing
> this, but remembering each one's different method of doing this can be
> a headache.  I suppose one really should, for maximum security, but I
> think there's still benefit in a simpler, consistent system.
> Additionally, not all apps do this the same way; for example, sshd can
> be configured to bind to a specific IP address, but what if the address
> is unknowable in advance?  Can it be limited to a specific interface,
> as can be accomplished with a firewall?  Even if the answer is yes, my
> point about simplicity remains.
> I may be off base here; I'm just expressing my (limited) understanding
> of the issue.

no, you are bang on the mark!

absolutely spot on!

I can't help wondering if the problem is more one of the distro being
able to solve the problem of how to supply an implementation, and I'm
not sure how much further forward the conversation can move without
getting its hands dirty.


Reply to: