Firewall Wizards mailing list archives
RE: Custom Unix server installations -- to harden extens ively ?
From: Steve Lunn <Steve.Lunn () homeowners co uk>
Date: Sun, 18 May 2003 09:06:30 +0100
Sorry if I'm a little late to this discussion, but I've only just found the mailing list. If it's already been said before, I'm sorry... The National Security Agency(1) have a security enhanced version of Linux available from their website(2). They also have a range of security recommendation guides(3) for hardening OS's, mail and web servers, and routers. They are well worth a read and they are free. Regards, Steve Links 1 http://www.nsa.gov/ 2 http://www.nsa.gov/selinux/index.html 3 http://www.nsa.gov/snac/index.html -----Original Message----- From: Loomis, Rip [mailto:GILBERT.R.LOOMIS () saic com] Sent: 16 May 2003 14:02 To: firewall-wizards () icsalabs com Subject: RE: [fw-wiz] Custom Unix server installations -- to harden extens ively ?
Well, once upon a time, there was a distribution called "Storm Linux" which was designed, from day one, to be a firewall.
It may be stating the obvious, but something that may have been secure in 2001 will not be secure today [...]
Since it's Debian, can YOU say apt-get ????
Hmm. It was *derived* from Debian, but anything that was done by Storm Linux to change the default Debian installation is now at least one of the following: - Incorporated into the Debian install already - Superseded by a later Debian official change to the same package (and therefore gone as soon as you do an apt-get) - No longer a good idea, because it is based on assumptions that are no longer true - Present on your system after an apt-get, but no longer working correctly because the behavior of some related package has changed in the meantime - Maybe, JUST MAYBE still worth doing and it will still be active on your system--but since no one's maintaining Storm Linux and few are using it, it'll be damnably hard to know which things are in this category and to ensure they're effectively used. I like Debian a lot and use it every day. There are a lot of security-relevant packages which could be installed and would probably do 90% of what Storm Linux was intended to do--they just won't all be installed by default. There have also been a few changes/improvements to the underlying kernel in the meantime. I can't fathom why anyone would install Storm Linux and then update to current Debian. Why not just come up with a very specific Debian install that meets your needs? How are any remaining Storm Linux-specific packages actually going to be a net gain for you? If it helps, it looks as though I'll be working with a co-worker to "port" the cisecurity.org Linux scoring tool (currently only handles RedHat and Mandrake) over to Debian. That, plus the existing Debian "bastille" package, should at least make it easier to set up a bastion host, if not a full-up firewall. -- Rip Loomis Senior Systems Security Engineer, SAIC CIST Brainbench MVP for Internet Security | http://www.brainbench.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards Homeowners Group consists of Homeowners Friendly Society Limited, Registered and Incorporated under the Friendly Societies Act 1992, Reg. No. 964F, Homeowners Investment Fund Managers Limited, Reg. No. 3224780, Homeowners Financial Administration Limited, Reg. No. 4301736 and Homeowners Membership Services Limited, Reg. No. 3091667, all registered at Hornbeam Park Avenue, Harrogate. HG2 8XE. Tel: 01423 855000 Web: http://www.homeowners.co.uk Homeowners Friendly Society Limited and Homeowners Investment Fund Managers Limited form the Homeowners Marketing Group. Both organisations are Regulated by the Financial Services Authority (FSA). Homeowners Financial Administration Limited and Homeowners Membership Services Limited are non-regulated limited companies. This e-mail is intended only for the person named as recipient. The contents are confidential. If you are not the intended recipient of this e-mail, please notify us as soon as possible and delete it. If you are not the intended recipient of the e-mail, any use by you is prohibited.
Current thread:
- RE: Custom Unix server installations -- to harden extens ively ? Steve Lunn (May 19)
- RE: Custom Unix server installations -- to harden extens ively ? Paul Robertson (May 19)