Securing PyDoc and CGIHTTPserver
Peter Hansen
peter at engcorp.com
Thu Jul 10 21:31:22 EDT 2003
Harry George wrote:
>
> Peter Hansen <peter at engcorp.com> writes:
>
> > Jon Schull wrote:
> > >
> > > However, even with the patch, IP addresses can be spoofed. Here is an
> > > additional security tactic that might be adopted.
> > >
> > > [...] However, if the port
> > > were chosen at random and printed out, then only pydoc and the user
> > > would know how to access the pydoc server.
> > >
> > My suggestion: don't attempt to mix security into each individual
> > application in a piecemeal manner. Use the proper tools for the
> > job, such as firewalls. Setting up a firewall on Linux or WinXP
> > is nearly trivial at this point, and the learning experience is
> > worth the effort for those who are new to this, so there's not
> > much excuse for doing it properly, IMHO.
>
> Here, we have lots of COTS *NIX behind the corporate firewalls, and
> want to provide internal security. We do this with SSL'd
> communications. I can see how a firewall denies/allows specific IP
> addresses (or at least claimed IP addresses), but not how it solves
> sniffing, spoofing, man-in-the-middle, etc., where encryption
> protocols are needed.
Uh, yeah.... but the OP wasn't asking about sniffing, spoofing, or
main-in-the-middle attacks, near as I can tell, nor about using
encryption. He was suggesting an unusual modification to one or
more applications which would otherwise be decoupled from security,
by adding into them features which are better handled by firewalls.
I'm not saying firewalls handle all security. At least I don't
think I did. I vaguely remember saying "proper tools for the
job, *such as* firewalls" [emphasis added], thus implying there
are other approaches that might be appropriate.
-Peter
More information about the Python-list
mailing list