Host firewalling

[Paul Robertson <proberts () patriot net>]

I've recently been playing with some network-based default-deny 
capabilities for Linux and Solaris systems, and I'm getting a lot of "we 
wouldn't load that kernel module" feedback 3rd hand.  

That leaves me wondering (private replies are preferred, I'll probably end 
up summarizing if I get enough feedback rather than clogging the list with 
individual replies unless something interesting comes back)- how many of 
you would advocate loading a module (or 2 or 3) which provided some 
defense in depth- provided:

(A) The code was available for review.
(B) The code was GPL and/or widely reviewed.
(C) The code was easy to understand.
(D) The code was "blessed" by the OS vendor/distributor
(E) It saved you from having to do "hardening."

My primary motivator is that I've gotten tired of trying to do a 
minimum level of security on things like firewalls which seem to want GUIs 
no matter what these days.

Module features might be things like controlling network access, stopping 
remote shell exploit code, managing file access.

(I'm aware that most of this isn't new- I'm more interested in hurdles to 
such modules than comparisons or pointers to similar projects.)
 
Thanks,

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards