On Mon, Jun 18, 2007 at 07:17:54PM +0200, Daniel de Kok wrote:
On Mon, 2007-06-18 at 12:56 -0400, Stephen Harris wrote:
The security rule of thumb here is that such machine _will_ be attacked, and so "security in depth" is the process to apply.
There are far more attack vectors than just through network facing daemons. To name just one example, web browsers. Unfortunately, Firefox is not yet protected by the targeted policy. Hopefully that will happen one day.
Web browsers typically don't run as root and don't run on servers, but work stations. They also require users to access "infected" sites.
Daemons on internet facing systems generally provide access to application data (eg a web application) or system resources (eg ssh) with higher priveleges and are candidates for automated zombie attacks and, therefore, have a much bigger risk profile.