Btw - using Solaris + no_stack_exec + old ssl - appear to be 100% secure from all random attacks (it can be broken - in theory, see articles from 'Solar designer' - but it is absolutely inpractical for hacking). I watched such system (absolutely not patched, with apache and openssl, untouched for 3 years - we kept it as a honeypot - no single exploit). And if you add IP filter + non standard port protects your 100% even if your service have broken library. As a result - it is safer to run old openssl + filter + solaris, vs running SuSe linux + automated upgrade + unfiltered openssl. It is wekk known thing - want best security - do not use anything standard, customize everything. So, step 1 - filter; step 2 -customize; and step 3 - update. Just updates without first 2 steps are much more dangerous, vs no updates but first 2 steps. PS. Why is it in IPv6 thread? And why IP filtering is broken? Even primitive firewall can do enough p[rotection to make any random packets useless. ----- Original Message ----- From: "Christopher L. Morrow" <christopher.morrow@mci.com> To: "Iljitsch van Beijnum" <iljitsch@muada.com> Cc: "Henning Brauer" <hb-nanog@bsws.de>; <nanog@merit.edu> Sent: Saturday, November 13, 2004 7:09 PM Subject: Re: IPV6 renumbering painless?
On Sat, 13 Nov 2004, Iljitsch van Beijnum wrote:
On 13-nov-04, at 10:02, Henning Brauer wrote:
Filtering based on IP addresses is a broken concept.
I'm not a huge fan of sprinkling crypto over everything, but if you want certain people to have access to some stuff and not others, IPsec/SSL are the way to go.
there are things putting random packets over the network today, trying to exploit services you might be using, or your customers might be using. IPSEC everywhere is 'nice' but not horribly practical. SSL is nice, until your SSL libraries have remotely exploitable DoS or root vulnerabilities... how many times over the last 12 months has openssl been upgraded due to 'security' issues?