Firewall Wizards mailing list archives

RE: Securing a Linux Firewall

From: Bruce Platt <Bruce () ei3 com>
Date: Tue, 23 Jul 2002 17:32:21 -0400

I guess it depends on what you fear most and what systems you need to
maintain.  This thread started off as how to secure a firewall.  By nature
they should be limited to what is needed and that's all.

I don't care if a determined, knowledgeable attacker does damage or if it's
done by a clueless kiddie.

What I do care about is denying successful attacks be they the sort that
cracks a hole in the fw, crashes a process due to stack overflow, or grants
access by privilege elevation.

That's all I'm going to say on this topic.  I think we have different views.
I've used up my self-imposed limit on reply characters today :-)

Regards

-----Original Message-----
From: Carson Gaspar [mailto:carson () taltos org]
Sent: Tuesday, July 23, 2002 4:43 PM
To: firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] Securing a Linux Firewall




--On Tuesday, July 23, 2002 4:22 PM -0400 Bruce Platt <Bruce () ei3 com> wrote:

Everything on the box that you don't need is a potential way for someone
to grab control of an executable which can cause damage.  Just because the
image isn't executed during init processing doesn't mean that someone
can't start it up some other way.


If the binary grants no additional privileges, then it can do nothing the 
attacker couldn't do already. If you can execute shell code, you can copy 
bits onto the box (at your current privilege level) - assuming there is at 
least one writable directory on the box.

So far, the only comments I've received that make sense are:

- Not having the binary in the expected location prevents skript kiddiez 
attacks from suceeding

In my opinion, this provides minimal additional security. My threat model 
is a determined attacker, not a clueless scriptoid.

- If the binary isn't on the box, nobody can enable the service by accident

True. But I feel that a regular system config audit is a better way of 
confirming that nobody's done anything unfortunate.

There are a few reasons I don't like the "strip everything off the box" 
mentality.

- It frequently makes debugging problems nearly impossible, as the 
necessary tools are not present.

- Every time a patch or a new OS version is released, the set of files that 
are required changes. Also, new privileged binaries may appear.

I've had to maintain "jumpstart"-like images for secure servers. 
Maintaining a "known-good" list for privileged binaries is relatively 
straightforward. Maintaining a "known-good" list of _all_ binaries is a 
nightmare. I further assert that maintaining a "known-bad" list is a lost 
cause.

-- 
Carson

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Securing a Linux Firewall, (continued)
- - - Re: Securing a Linux Firewall Carson Gaspar (Jul 24)
    - Re: Securing a Linux Firewall BORBELY Zoltan (Jul 24)
    - RE: Securing a Linux Firewall Bill Royds (Jul 24)
    - Re: Securing a Linux Firewall Kyle R. Hofmann (Jul 24)
    - Re: Securing a Linux Firewall Stephen P. Berry (Jul 26)
    - Re: Securing a Linux Firewall R. DuFresne (Jul 26)
    - Re: Securing a Linux Firewall Gwendolynn ferch Elydyr (Jul 24)
    - Re: Securing a Linux Firewall Stephen P. Berry (Jul 25)
    - Re: Securing a Linux Firewall Gwendolynn ferch Elydyr (Jul 25)
    - RE: Securing a Linux Firewall David Lang (Jul 24)
- RE: Securing a Linux Firewall Bruce Platt (Jul 23)
- RE: Securing a Linux Firewall Roger Marquis (Jul 23)
- Re: Securing a Linux Firewall Marcus J. Ranum (Jul 23)
- RE: Securing a Linux Firewall Ravdal, Stig (Jul 24)