Re: Securing a Linux Firewall

[Carson Gaspar <carson () taltos org>]

--On Tuesday, July 30, 2002 4:41 PM -0700 "Stephen P. Berry" 
<spb () meshuggeneh net> wrote:

> When you have to cope with upgrades, version migrations, patches and
> that sort of thing, keep in mind that you don't have to redo everything
> from scratch---you're just dealing with the deltas, and then only if
> they apply to the widgets that are a part of your minimal install.  This
> sort of thing is always a pain -regardless- of what your typical machine
> looks like, and I just don't see how having a bare bones system makes
> it more painful.  It certainly hasn't been in my experience.

As a matter of curiosity, what is your experience? Platform, types of 
applications supported, number of systems/users? This is a serious question 
- it could be that our viewpoints are both valid, but for different 
environments.

My experience with maintaining Solaris builds for tens of thousands of 
machines running just about anything you can imagine contradicts your 
statements. The amount of churn in what is required between Solaris 
versions is large. After attempting to maintain a "minimal" install, that 
still had way too much setuid crap (due to the granularity of Sun 
packages), or that broke Sun's package mechanisms, I stopped doing it. 
Solaris 9 is supposed to be better about package granularity, but I haven't 
touched the beast yet.

My assertion is that the maintenance cost of maintaining a "minimal" build, 
or multiple "minimal" builds (minimal for what? A firewall? A Sybase 
server?), is too high for the minimal security gained from it. Nobody has 
given me sufficient evidence of either great security gains, or of reduced 
maintenance costs, for me to change my assertion.

--
Carson

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards