Firewall Wizards mailing list archives
Re: Securing a Linux Firewall
From: Carson Gaspar <carson () taltos org>
Date: Wed, 31 Jul 2002 20:00:55 -0400
--On Tuesday, July 30, 2002 4:41 PM -0700 "Stephen P. Berry" <spb () meshuggeneh net> wrote:
When you have to cope with upgrades, version migrations, patches and that sort of thing, keep in mind that you don't have to redo everything from scratch---you're just dealing with the deltas, and then only if they apply to the widgets that are a part of your minimal install. This sort of thing is always a pain -regardless- of what your typical machine looks like, and I just don't see how having a bare bones system makes it more painful. It certainly hasn't been in my experience.
As a matter of curiosity, what is your experience? Platform, types of applications supported, number of systems/users? This is a serious question - it could be that our viewpoints are both valid, but for different environments.
My experience with maintaining Solaris builds for tens of thousands of machines running just about anything you can imagine contradicts your statements. The amount of churn in what is required between Solaris versions is large. After attempting to maintain a "minimal" install, that still had way too much setuid crap (due to the granularity of Sun packages), or that broke Sun's package mechanisms, I stopped doing it. Solaris 9 is supposed to be better about package granularity, but I haven't touched the beast yet.
My assertion is that the maintenance cost of maintaining a "minimal" build, or multiple "minimal" builds (minimal for what? A firewall? A Sybase server?), is too high for the minimal security gained from it. Nobody has given me sufficient evidence of either great security gains, or of reduced maintenance costs, for me to change my assertion.
-- Carson _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Securing a Linux Firewall Stephen P. Berry (Aug 01)
- Re: Securing a Linux Firewall Carson Gaspar (Aug 01)
- Re: Securing a Linux Firewall Stephen P. Berry (Aug 01)
- Re: Securing a Linux Firewall Carson Gaspar (Aug 02)
- Re: Securing a Linux Firewall Michael A. Williams (Aug 03)
- Re: Securing a Linux Firewall Stephen P. Berry (Aug 06)
- Re: Securing a Linux Firewall Stephen P. Berry (Aug 01)
- Re: Securing a Linux Firewall Carson Gaspar (Aug 01)
- <Possible follow-ups>
- Re: Securing a Linux Firewall Stephen P. Berry (Aug 01)
- Re: Securing a Linux Firewall Carson Gaspar (Aug 01)
- Re: Securing a Linux Firewall Stephen P. Berry (Aug 01)
- Re: Securing a Linux Firewall Carson Gaspar (Aug 01)
- RE: Securing a Linux Firewall Litscher, Mark (Aug 06)