home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam    

Building Internet Firewalls

Building Internet FirewallsSearch this book
Previous: 2.12 Network File Systems Chapter 2
Internet Services
Next: 2.14 Printing Systems

2.13 Window Systems

Most UNIX machines currently provide window systems based on the X11 window system. Network access is an important feature of X11. As more and more programs have graphical user interfaces, remote terminal access becomes less and less useful; you need graphics, not just text. X11 gives you remote graphics. Unfortunately, it does this by providing complete access to all of the capabilities it gives you when you are sitting in front of the machine.

X11 servers are tempting targets for intruders. An intruder with access to an X11 server may be able to do any of the following types of damage:

Get screen dumps

These are copies of whatever is shown on the users' screens.

Read keystrokes

These may include users' passwords.

Inject keystrokes

They'll look just as if they were typed by the user. Imagine how dangerous this could be in a window in which a user is running a root shell.

By default, X11 servers use address-based authentication if they use any authentication at all; many users disable this feature in the name of convenience. X11, therefore, isn't safe to use across the Internet. The server does provide the option of using stronger authentication, but most clients aren't capable of using it, and it is thus rarely turned on. In practice, it usually prevents anybody from authenticating.