Maintained by: NLnet Labs

[Unbound-users] [wishlist] unbound vs djbdns

Kevin Chadwick
Tue Jun 14 17:38:50 CEST 2011


On Tue, 14 Jun 2011 13:50:36 +0100
Alexander Clouter wrote:

> What does parsing offline buy you security wise 
> that a live system cannot?  Privilege separation/dropping is straight 
> forward in the case of tcpdump/libpcap and input validation is 
> approximately /[a-z0-9_.]+/i and would be a problem in both the live and 
> offline case.
> 
I meant a seperate permanently offline machine, any exploit/attack has
almost nowhere to go. The point is, parsing online is not best
practice.

> Another method is to physically decouple the collector from the parser.  
> Although traffic/cpu intensive, syslog'ing the output to another box 
> live and having it parsed (say via a syslog-ng pipe() destination) as it 
> appears would be perfectly feasible.

Yep and a one way cable as per snort.org would be best practice giving
realtime functionality and be safe though your parser and so logging
could potentially still be attacked or damaged/prevented. Though an
attacker would likely struggle to know he succeeded.