| |||||||||||||
Bad SecurityBad SecurityPosted Mar 6, 2007 1:11 UTC (Tue) by flewellyn (subscriber, #5047)In reply to: Bad Security by dark Parent article: Single Packet Authorization (Linux Journal)
Good point, although that can be mitigated by setting up SELinux to control the SPA server's access to system resources.
I do see your point about it being a proliferation of more potentially-vulnerable code. As for its utility...well, it would have the benefit of providing a level of access control beyond the service level, blocking access to a host until the client authenticates, and then allowing connections to provided services. It provides defense in depth of the host.
We can do host-based blocking through the tcp_wrappers suite, but there isn't a way to authenticate a host dynamically: a host in hosts.deny is blocked until the administrator manually removes it (moving it to hosts.allow, depending on setup). Plus, tcp_wrappers works at the application level, not the packet filter level. So tcp_wrappers doesn't (as far as I can tell) prevent a DoS attack.
I could be wrong, of course, but it looks like SPA might provide some useful security. I think the tech is too new to be evaluated properly, though. It definitely needs more testing.
(Log in to post comments)
Bad Security Posted Mar 6, 2007 6:42 UTC (Tue) by job (guest, #670) [Link] The same (that risks can be mitigated by SELinux) could be said about OpenSSH.
Bad Security Posted Mar 6, 2007 8:38 UTC (Tue) by drag (subscriber, #31333) [Link] Ya pretty much.
Personally I like the idea that less software is, on average, is going to more secure then more software. As long as everything is designed for security, that is.
|
|||||||||||||