Date: Tue, 13 Apr 1999 11:05:03 -0400 (EDT) From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com> To: k.stevenson@louisville.edu (Keith Stevenson) Cc: freebsd-security@freebsd.org Subject: Re: Sequential TCP port allocation? Message-ID: <199904131505.LAA21502@cc942873-a.ewndsr1.nj.home.com> In-Reply-To: <19990412120126.B15762@homer.louisville.edu> from Keith Stevenson at "Apr 12, 99 12:01:26 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
[I can't help too much with the subject matter, but this might be better suited to -security. I'm forwarding this there. However, one comment below.] Keith Stevenson wrote, > We recently had an auditing firm run ISS against our network. The only > "vulnerability" detected on our production FreeBSD box was a problem with > "Predictable Sequence Ports". The description states that this FreeBSD box > allocates its port numbers in sequential order. > > I've looked at several of my 2.2.8 boxes, and sure enough this appears to be > true. Is there a setting or sysctl knob that I can tweak to change the system > to allocate ports in a more random manner? If not, does 3.1-STABLE exhibit > the same behavior? > > (Whether or not this qualifies as a real security vulnerability is irrelevant > to me. Since the auditors labeled this as a "security hole" I have to present > some sort of response to my management.) I think it does matter if it is a 'real' vulnerability, _especially_ when talking to management. If it is going to cost $$$ to fix the problem or go with another solution, one must weigh risks against such a cost. There is no such thing as security-at-all-costs (unless you work for the NSA or sumthin'). If you truly want to be secure, do not connect to the Internet, assign each user random passwords (but make sure they don't write them down on Post-It Notes(tm) on the side of the monitor), and put all of the machines in an accessed controlled area with EM screening to keep in the Tempest radiation. Of course, that's an outlandish example, but one must remember there are always costs and benefits to be weighed. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199904131505.LAA21502>