[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Browser mode for nautilus



On Mon, 2008-10-27 at 21:49 +0100, Lennart Poettering wrote:
> > Disabling firewalls on individual systems be they desktops or servers is
> > a BAD idea. Full stop.
> 
> That is nonsense.
> 
> Firewalls on a desktop make no sense, and David is right is that it is
> a relic and not much more. It's paranoia at best to keep this
> installed by default.


I don't know what kind of desktops you're referring to but desktops  are
the soft-squishy inside that gets large corporate networks in deep
trouble when there is an border fw breach. This is why it is important
to have a multi-layered security policy/infrastructure. 
1. border fw
2. host-based fw  - including desktops
3. deny-all policies at the system level
4. well-audited apps that are runnable
5. restrictive policies on what can be run at all.

If you want to argue that enhancing the firewall technology that we are
currently using to allow a more nuanced user-interaction other than 'on'
or 'off' that's fine by me - but relying on selinux to solve all
network-border issues seems like the wrong tool for the job.


-sv



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]