Firewall Wizards mailing list archives
Re: Unix Hardening for FW installation
From: "Ellis Luk" <e_luk () hotmail com>
Date: Mon, 01 Nov 1999 17:28:16 PST
Marcus Ranum wrote:
I used to believe in "stripping" operating systems. Now I believe in "building" them. Rather than removing what I think may be bad, I prefer to start with a bootstrap loader and add the things Ineed. :) The NFR appliance (which I happened to do the first round of system integration for) was built in the manner described above. I took the bootstrap, added a kernel and filesystem, a minimum of devices, and then coded my own version of init and everything above kernel space.
This is also a topic that a few of us discussed recently. I understand that if it is a passive device (like Intrusion detection device), it may be a good idea to use "appliance". My reasoning is that: If the vendor make a mistake while building their basic OS for the appliance, the worst situation is that the system is compromised and I will become "blind" (in term of network activities). But, in general, it will not compromise my network security since my IDS appliance is placed outside my firewall, and it is not trusted. However, for an active device like firewall, the mistake may became very costly. That said, everyone make mistakes including SUN, BSDI, MS etc. So what is the difference ? I believe that for those organisation who heavily rely on the FW supplier for security maintenance, there would not be much difference. (Actually, the security may be improved because administrators will be more willing to upgrade/patch the FW.) But to me, if a bug is found, I want to be able to implement the work around ASAP, and then the vendor patch when it becomes available. Of course, there may be no work around until the vendor can provide a patch :-( The bottom line is that for a key security device like firewall, I would prefer to have more control, rather than heavily rely on the vendor to provide maintenance. I will be interested to hear other people's opinion. -- Ellis ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Current thread:
- Re: Unix Hardening for FW installation Ellis Luk (Nov 06)
- Re: Unix Hardening for FW installation Marcus J. Ranum (Nov 07)