> > Just a general note. Using a firewall to protect a port or using IP
> > filtering or changing the port number are not fixes to the security
> > problem. They are workarounds. Being able to shut down the server
> > remotely is a serious security hole and needs to be treated as such.
>
> Being able to shut down the server remotely is indeed a serious security
> hole.
>
> But IMHO the real solution is to do use a firewall - and I strongly
> disagree it is a workaround. Heck - X11 does have 3-4 password-checking
And I absolutely disagree that it is a real solution. I'm not
downplaying the importance of using a firewall. You use it because there
are vulnerabilities that are not known and it offers a good way of
limiting the range and scope of such vulnerabilities.
> mechanisms, but I don't think any decent network rely on this and let 6000
> open. Same for NFS or SMB - again, both have built-in security ( more or
> less ).
Yes. And if you knew that all were truly secure, you wouldn't need to
have a firewall. The problem is you can't know that they are secure and
in fact can be relatively sure that they aren't so you use a firewall to
help guard against the vulnerabilities you don't know of. To use a
firewall as a solution to a known vulnerability is only reasonable in
the short term, until one manages to fix it. At this point, everyone who
is running Tomcat and older without a firewall who doesn't read these
groups is at risk. Doing an IP check to insure that the command is from
localhost is a fix and that is already in the system. I just worry about
anyone who thinks that a firewall is a panacea and that all security
concerns are fixed with its installation.
> If anyone contribute code to do extra checks I think we would be happy to
> include it.
>
> I think it's a big mistake to assume anything is secure - including a
> firewall or multiple firewalls, but it's important to at least minimize
> the risks - and so far the best way is to use IP-level mechanisms wherever
> is possible. It's a well tested mechanism ( as oposed to any home-grown
> security mechanism ).
Absolutely. I'm not saying that one should get rid of one's firewall
once this issue is resolved. I don't think anything is all that secure.
Using a firewall is an important step in securing a system. But that
doesn't stop me from shutting down all non-used ports on the computer
itself, stopping all non-necessary services, removing unnecessary
accounts, using strong passwords or PKs and generally doing everything
to make sure that I've kept up with security patches for any machine I
harden. If you feel confident dropping a firewall in front of a network
of machines which all have empty passwords for root, go ahead.
>
> We have the start of an admin interface, it's easy to just use it to stop
> tomcat.
Which is the best longterm solution.
I'm not trying to attack anyone here and don't want to sound ungrateful
about the work being done or disrespectful of those doing it. I just get
very worked up about matters of security.
--Tim
|