Hi, tcp-wrappers, article
Cary B. O'Brien
cobrien "at" access.digex.net
Fri, 13 Mar 1998 16:18:26 +0000
> > the listen address to (rather than IADDR_ANY). This way I could bind
> > the listen address to 220.127.116.11 (loopback), and have a tcp-wrapper
> 127.0.0.1 ..
> > protected netcat or redir listening for connections from my machine,
> > which would be forwarded to Xvnc. This would also be good for dual-homed
> > machines in DMZ-type firewall setups. This would allow connections only from
> > the internal lan.
> And if you have source routing facilities on your box you can potentially
> be open to abuse.
True, but that's one of the first things I turn off on exposed boxes, and
I sure hope the firewall guy has it disabled (gotta check that).
> > 2) Build in source address based authentication using the library that
> > comes with tcp_wrappers.
> > Comments?
> I think its better to do the job properly. Assuming you only care about
> authentication and not also data hiding then MD5 signatures are probably
> enough security (like PPP CHAP protocol). MD5 is free, exportable worldwide
> and not (currently 8)) subject to patent stupidities
True, but I'm kind of a belt-and-braces guy . I worry that
passwords are subject to social engineering  attacks, so I'd like
another layer of security. I'd just like to be sure that external
access just can't happen.
 Wearing both a belt and suspenders to keep your pants up. I.E. likes
 Like looking through people's day-planners, or in drawers, or in
their stored e-mail when they leave their offices. Or the wastebasket
near the printer.