[Unbound-users] [wishlist] unbound vs djbdns
Kevin Chadwick
ma1l1ists at yahoo.co.uk
Tue Jun 14 15:38:50 UTC 2011
On Tue, 14 Jun 2011 13:50:36 +0100
Alexander Clouter wrote:
> What does parsing offline buy you security wise
> that a live system cannot? Privilege separation/dropping is straight
> forward in the case of tcpdump/libpcap and input validation is
> approximately /[a-z0-9_.]+/i and would be a problem in both the live and
> offline case.
>
I meant a seperate permanently offline machine, any exploit/attack has
almost nowhere to go. The point is, parsing online is not best
practice.
> Another method is to physically decouple the collector from the parser.
> Although traffic/cpu intensive, syslog'ing the output to another box
> live and having it parsed (say via a syslog-ng pipe() destination) as it
> appears would be perfectly feasible.
Yep and a one way cable as per snort.org would be best practice giving
realtime functionality and be safe though your parser and so logging
could potentially still be attacked or damaged/prevented. Though an
attacker would likely struggle to know he succeeded.
More information about the Unbound-users
mailing list