| |||||||||||||
That's not the only meaning of that statementThat's not the only meaning of that statementPosted Feb 2, 2006 4:05 UTC (Thu) by elanthis (guest, #6227)In reply to: That's not the only meaning of that statement by Ross Parent article: Van Jacobson's network channels
And my point remains... what is that unprivileged process going to do that you couldn't do by plugging in a laptop or some other device onto the network?
If you are implicitly trusting every packet sent by some 'trusted' host (which, if it were truly trusted, would never be running any malicious code anyhow), or trusting anything running on port 1024 down, you're not running a very secure network at all.
There is no security at the IP level at all. If you want trust and security, you have to put it all in higher layers.
(Log in to post comments)
That's not the only meaning of that statement Posted Feb 2, 2006 5:28 UTC (Thu) by Ross (subscriber, #4065) [Link] If you're only point is that security shouldn't depend on the network not being compromised I agree. However malicious users with unfettered physical access are not at all equivalent to malicious processes running under unpriviledged ids and that anything which makes them equivalent is decreasing security. Does it matter for well designed programs? No. But unfortunately tons of commonly used software is not well designed. If you can't trust IPs, port numbers, etc. many things break down. If you can't trust a program a user downloaded you should worry, but your network is not automatically compromised unless there is something which can be exploited on the system.
|
|||||||||||||