RootPrompt.org: Amateur Fortress Building in Linux Part 2

“Trying to get my Linux system secured the way I like it, I
found out I’m actually working by a simple rule. I’m trying to
avoid a single point of failure.”

“A single point of failure means that a single mistake, bug or
error means an attacker can get sufficient control on the host so
that he can do serious damage. A firewall is of limited use of
various system daemons, running as root, peek through it, waiting
for the next buffer overflow attack. Similarly, if your firewall is
all that stands between the script kiddies and highly vulnerable
network services you’re putting a lot of trust in your ability to
build the perfect firewall.”

Of course, deep down there is always some potential for
catastrophic security hole – in the TCP stack, the kernel,
whatever. There is no alternative to accepting that, at some time,
the worst happens and the only way out is to get things patched as
quickly as possible. I can live with that. I just don’t want it to
be a biweekly event.