Re: Gauntlet 5.0 BSDI warning

[kyoung () V-ONE COM (Keith Young)]

First, an update. NAI has already released a fix regarding my original
e-mail. You can download it from:
http://www.tis.com/support/patch50.html

Thanks to NAI support for getting a fix out so quickly.

Strange wrote:
> According to the folks we asked at NAI in June about the Gauntlet install
> procedure (on all supported OSes), the install order to be used is:
>
> Install OS
> Install OS patches
> Install Gauntlet
> Install Gauntlet patches
> never install any OS patches again

True, but many people install the firewall then the OS vendor releases a
patch.

> Because of that last nasty gotcha, we use a firewall builder box when we
> want to "patch" the firewalls.  We then pull the newly-built drives, and
> swap them into the extant firewall box.  Lather, rinse, repeat.

You are a stronger person than I... I wouldn't want to have to keep
securing the OS on a box and "reinstalling" the firewall everytime the
OS/firewall vendor releases an important patch...  :-)

> Interestingly, this is what the vendor told us to *always* do, under *all*
> circumstances.  I'd say that if you're going to apply vendor patches, you
> should assume you have to do a full Gauntlet reinstall because Gauntlet
> 5.0 replaces some key kernel items.

See above....

> I.e., a vendor patch replaced code that the gauntlet had already replaced.

Exactly.

> I am wondering if this is *really* a Gauntlet bug or a Gauntlet vendor
> documentation bug.

Which is why the word "bug" never appeared in the original alert. Had
the M310-049 patch not been required for the kernel patch install, very
few of us would have run into the problem.

> (they do not, as far as we could tell, make it plain that you
> should not apply vendor patches after installing the firewall)

Not exactly true. Look here:
http://www.tis.com/support/bsd31.html

--Keith
-kyoung () v-one com