Hi, tcp-wrappers, article
Cary B. O'Brien
cobrien "at" access.digex.net
Fri, 13 Mar 1998 16:18:26 +0000
> > the listen address to (rather than IADDR_ANY). This way I could bind
> > the listen address to 128.0.0.1 (loopback), and have a tcp-wrapper
>
> 127.0.0.1 ..
>
> > protected netcat or redir listening for connections from my machine,
> > which would be forwarded to Xvnc. This would also be good for dual-homed
> > machines in DMZ-type firewall setups. This would allow connections only from
> > the internal lan.
>
> And if you have source routing facilities on your box you can potentially
> be open to abuse.
>
True, but that's one of the first things I turn off on exposed boxes, and
I sure hope the firewall guy has it disabled (gotta check that).
> > 2) Build in source address based authentication using the library that
> > comes with tcp_wrappers.
> >
> > Comments?
>
> I think its better to do the job properly. Assuming you only care about
> authentication and not also data hiding then MD5 signatures are probably
> enough security (like PPP CHAP protocol). MD5 is free, exportable worldwide
> and not (currently 8)) subject to patent stupidities
>
True, but I'm kind of a belt-and-braces guy [1]. I worry that
passwords are subject to social engineering [2] attacks, so I'd like
another layer of security. I'd just like to be sure that external
access just can't happen.
-- cary
[1] Wearing both a belt and suspenders to keep your pants up. I.E. likes
redundancy.
[2] Like looking through people's day-planners, or in drawers, or in
their stored e-mail when they leave their offices. Or the wastebasket
near the printer.