Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Unix Hardening for FW installation

From: "Ellis Luk" <e_luk () hotmail com>
Date: Mon, 01 Nov 1999 17:28:16 PST
Marcus Ranum wrote:

I used to believe in "stripping" operating systems. Now I believe
in "building" them. Rather than removing what I think may be bad,
I prefer to start with a bootstrap loader and add the things Ineed.
:)
The NFR appliance (which I happened to do the first round of
system integration for) was built in the manner described above.
I took the bootstrap, added a kernel and filesystem, a minimum
of devices, and then coded my own version of init and everything
above kernel space.


This is also a topic that a few of us discussed recently.

I understand that if it is a passive device (like Intrusion detection
device), it may be a good idea to use "appliance". My reasoning is
that:

If the vendor make a mistake while building their basic OS for the
appliance, the worst situation is that the system is compromised and
I will become "blind" (in term of network activities). But, in
general, it will not compromise my network security since my IDS
appliance is placed outside my firewall, and it is not trusted.

However, for an active device like firewall, the mistake may became
very costly. That said, everyone make mistakes including SUN, BSDI, MS
etc. So what is the difference ? I believe that for those organisation
who heavily rely on the FW supplier for security maintenance, there
would not be much difference. (Actually, the security may be improved
because administrators will be more willing to upgrade/patch the FW.)
But to me, if a bug is found, I want to be able to implement the work
around ASAP, and then the vendor patch when it becomes available.
Of course, there may be no work around until the vendor can provide
a patch :-(

The bottom line is that for a key security device like firewall, I
would prefer to have more control, rather than heavily rely on the
vendor to provide maintenance.
I will be interested to hear other people's opinion.

--
Ellis

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
Previous By Date Next
Previous By Thread Next

Current thread: