North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: IPV6 renumbering painless?
Btw - using Solaris + no_stack_exec + old ssl - appear to be 100% secure from all random attacks (it can be broken - in theory, see articles from 'Solar designer' - but it is absolutely inpractical for hacking). I watched such system (absolutely not patched, with apache and openssl, untouched for 3 years - we kept it as a honeypot - no single exploit). And if you add IP filter + non standard port protects your 100% even if your service have broken library. As a result - it is safer to run old openssl + filter + solaris, vs running SuSe linux + automated upgrade + unfiltered openssl. It is wekk known thing - want best security - do not use anything standard, customize everything. So, step 1 - filter; step 2 -customize; and step 3 - update. Just updates without first 2 steps are much more dangerous, vs no updates but first 2 steps. PS. Why is it in IPv6 thread? And why IP filtering is broken? Even primitive firewall can do enough p[rotection to make any random packets useless. ----- Original Message ----- From: "Christopher L. Morrow" <[email protected]> To: "Iljitsch van Beijnum" <[email protected]> Cc: "Henning Brauer" <[email protected]>; <[email protected]> Sent: Saturday, November 13, 2004 7:09 PM Subject: Re: IPV6 renumbering painless? > > On Sat, 13 Nov 2004, Iljitsch van Beijnum wrote: > > On 13-nov-04, at 10:02, Henning Brauer wrote: > > > > Filtering based on IP addresses is a broken concept. > > > > I'm not a huge fan of sprinkling crypto over everything, but if you > > want certain people to have access to some stuff and not others, > > IPsec/SSL are the way to go. > > there are things putting random packets over the network today, trying to > exploit services you might be using, or your customers might be using. > IPSEC everywhere is 'nice' but not horribly practical. SSL is nice, until > your SSL libraries have remotely exploitable DoS or root > vulnerabilities... how many times over the last 12 months has openssl been > upgraded due to 'security' issues?
|