Firewall Wizards mailing list archives

Re: Unix Hardening for FW installation

From: Chris Boscolo <chrisb () watchguard com>
Date: Wed, 27 Oct 1999 22:00:26 -0700 (PDT)


On Wed 27-October, Marcus J. Ranum wrote (id <3.0.6.32.19991027211307.007cc1c0 () mail clark net>):
 %
 %>Can anyone suggest resources or sites with info on securing a UNIX system
 %>for installation of a firewall.
 %
 %I used to believe in "stripping" operating systems. Now I believe
 %in "building" them. Rather than removing what I think may be bad,
 %I prefer to start with a bootstrap loader and add the things I
 %need. :)
 %
 %The NFR appliance (which I happened to do the first round of
 %system integration for) was built in the manner described above.
 %I took the bootstrap, added a kernel and filesystem, a minimum
 %of devices, and then coded my own version of init and everything
 %above kernel space.

This is the same design methodology which we used in our Firebox.
But, we don't have any filesystems which are for generic use.
We use compressed read-only images which we uncompress during
startup.

This way, there is never filesystem "state" to worry about.

I agree that this the best way to design a secure system, but you may
say that I have a bias...

        -chrisb

--
 Chris Boscolo               chris.boscolo () WatchGuard com
 Software Development Manager, Security Technologies
 WatchGuard Technologies     (206) 521-8348

Current thread:

Unix Hardening for FW installation brendon . b . taylor (Oct 27)
- Re: Unix Hardening for FW installation Marcus J. Ranum (Oct 27)
  - Re: Unix Hardening for FW installation Chris Boscolo (Oct 28)
    - Re: Unix Hardening for FW installation Marcus J. Ranum (Oct 28)
- Re: Unix Hardening for FW installation Philip S Holt / Security Engineering (Oct 28)
- Re: Unix Hardening for FW installation Mat Henley (Oct 28)
- RE: Unix Hardening for FW installation David Cocking (Oct 28)
- <Possible follow-ups>
- re: Unix Hardening for FW installation Cliff Watts (Oct 29)