Firewall Wizards mailing list archives
Host firewalling
From: Paul Robertson <proberts () patriot net>
Date: Thu, 25 Jul 2002 14:46:12 -0400 (EDT)
I've recently been playing with some network-based default-deny capabilities for Linux and Solaris systems, and I'm getting a lot of "we wouldn't load that kernel module" feedback 3rd hand. That leaves me wondering (private replies are preferred, I'll probably end up summarizing if I get enough feedback rather than clogging the list with individual replies unless something interesting comes back)- how many of you would advocate loading a module (or 2 or 3) which provided some defense in depth- provided: (A) The code was available for review. (B) The code was GPL and/or widely reviewed. (C) The code was easy to understand. (D) The code was "blessed" by the OS vendor/distributor (E) It saved you from having to do "hardening." My primary motivator is that I've gotten tired of trying to do a minimum level of security on things like firewalls which seem to want GUIs no matter what these days. Module features might be things like controlling network access, stopping remote shell exploit code, managing file access. (I'm aware that most of this isn't new- I'm more interested in hurdles to such modules than comparisons or pointers to similar projects.) Thanks, Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Host firewalling Paul Robertson (Jul 25)