Firewall Wizards mailing list archives
Re: chroot useful?
From: mcnabb () argus-systems com (Paul McNabb)
Date: Mon, 17 Nov 1997 17:27:17 -0600
From: Darren Reed <darrenr () cyber com au> > >So, how many firewalls out there implemented with any of the common > >operating systems (be they free or commercial) actually do this ? > > Why not ask them. Many claim to run "hardened" versions of > BSD or LINUX. Vulnerabilites and exploits are well publicized, > and many of the developers read these lists. I doubt many > are going to be so arrogant as to take a NIH approach to something > Marcus has contributed to the state of the technology ;-) Well, the majority of the firewall market doesn't run on a "hardened" version of the OS because that's not what FW-1 uses. What % of the market do those selling hardened OS's make up ?
I get a bit confused, and I suspect I'm not alone, about the use of the term "hardened OS". To me, a hardened OS is a modified OS, not just a well-configured system (meaning tightened up and stripped down). I would classify Sidewinder as a "hardened OS", and Firewall-1 on Solaris with the Argus B3 extensions would be "hardened". I would also put into this category those firewalls running on Linux systems where the kernel has been modified for improved security. Offhand, I can think of only two areas where hardening the underlying OS helps: 1) protecting against daemon/proxy flaws, such as stack overwrite bugs, that would allow an attacker to get a daemon/proxy to do something it wasn't designed to do, 2) separating administration activities from firewall services, such as when the firewall is administered via a network interface. Packet filtering firewalls offering no network services and that are administered via the console see only marginal benefit from a "hardened" OS. The more the firewall is doing in user space, the more chance there is for a problem and the more a hardened OS will help. IMHO, stripping down a system by removing unnecessary utilities, services, and processes reduces the chances of leaving a hole open and is absolutely essential for making a firewall "secure", but it does little towards making the remaining services more secure. paul --------------------------------------------------------- Paul McNabb Argus Systems Group, Inc. Vice President and CTO 1809 Woodfield Drive mcnabb () argus-systems com Savoy, IL 61874 USA TEL 217-355-6308 FAX 217-355-1433 "Securing the Future" ---------------------------------------------------------
Current thread:
- syscall wrappers (was Re: chroot useful?), (continued)
- syscall wrappers (was Re: chroot useful?) Bennett Todd (Nov 17)
- Re: syscall wrappers (was Re: chroot useful?) George Ross (Nov 20)
- syscall wrappers (was Re: chroot useful?) Bennett Todd (Nov 17)
- RE: chroot useful? Y. W. Ko (Nov 16)
- Re: chroot useful? Anton J Aylward (Nov 17)
- Re: chroot useful? Darren Reed (Nov 20)
- Firewalling DCOM and brethren David C Niemi (Nov 21)
- Re: Firewalling DCOM and brethren Magossa'nyi A'rpa'd (Nov 21)
- Re: chroot useful? Darren Reed (Nov 20)
- Re: chroot useful? Anton J Aylward (Nov 17)
- RE: chroot useful? Joseph Judge (Nov 17)
- Re: chroot useful? Paul McNabb (Nov 17)
- Re: chroot useful? Paul McNabb (Nov 17)
- Re: chroot useful? C. Harald Koch (Nov 20)
- Re: chroot useful? Anton J Aylward (Nov 20)
- Re: chroot useful? chuck yerkes (Nov 21)
- Re: chroot useful? Adam Shostack (Nov 21)
- Re: chroot useful? chuck yerkes (Nov 21)
- Re: chroot useful? Paul McNabb (Nov 20)
- Re: chroot useful? Colin Campbell (Nov 21)
- Small code (was Re: chroot useful?) chuck yerkes (Nov 23)
- Re: chroot useful? Colin Campbell (Nov 21)
- Re: chroot useful? Anton J Aylward (Nov 21)