To:
Ed Sawicki <ed@alcpress.com>
Cc:
Brad Knowles <brad.knowles@skynet.be>, dnsop@cafax.se
From:
Jim Reid <Jim.Reid@nominum.com>
Date:
Fri, 21 Feb 2003 09:15:50 -0800
In-Reply-To:
Message from Ed Sawicki <ed@alcpress.com> of "21 Feb 2003 08:52:56 PST." <1045846375.1153.209.camel@red>
Sender:
owner-dnsop@cafax.se
Subject:
Re: Why one port?
>>>>> "Ed" == Ed Sawicki <ed@alcpress.com> writes: Ed> I want my systems to be as secure from attack as possible. To Ed> me, this means never allowing both functions to be provided by Ed> the same codebase. >> Fine. But by the same reasoning, you wouldn't want to provide >> both functions on the same box. Ed> I can run both processes in the same computer safely because Ed> each is running as a different non-root user and each is Ed> chrooted to a different place in the file system. If I'm Ed> really paranoid, I can run each in its own Linux virtual Ed> machine (UML) - all the while using only one IP address. So what? The stuff is still on just one box. You've still got all your eggs in one basket. Albeit a basket with fancy padded compartments. All this software ring-fencing isn't going to help if the CPU catches fire or someone trips over the power cable and disconnects it, etc, etc. #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.