Firewall Wizards mailing list archives
Re: chroot useful?
From: Anton J Aylward <anton () toronto com>
Date: Thu, 20 Nov 1997 17:29:27 -0500
At 10:36 PM 17/11/97 -0600, Paul McNabb wrote: ## Reply Start ##
If you run a stripped down kernel, there is the chance that your system won't support the next firewall version, or that nice auditing program you want, or ...
The assumption you're making is that the firewall is an open platform. If you're running a platform which is inviting people to run all these nifty programs on it, you've got more serious conceptual problems than anything to do with hardening!
And what about when your system admin guy leaves and the next guy comes along?
Implicit unstated assumption: this is a homegrown firewall. I was thinking of the ones where the vendor has done the hardening, for example BorderWare.
If he needs to rebuild the system or add a patch, will it break everything?
If the system is vendor supplied, its their problem. If its a home brew, then it all depends on how well disciplined you are about things like documenting what you've done. If you don't document, then you've got more serious problems in your organization than patching your firewall!
Another issue: if you are looking for commercial support and updates, having a home-grown OS version pretty much invalidates a lot of customer support.
Switheroo.
So as far as OSes are concerned, we are left with 1) running a strong commercial version (very few available) 2) running a bastardized but strong commercial version 3) running a potentially weak but fully supported commercial version 4) running a strong home version (with little help/experience from other sites)
Ah, the Big Lie, or at least a large one. This is far from a complete list. The obvious things missing are some trivialities like not running a firewall at all, running a firewall badly configured no matter how good it is technically (which seems to be about 80% of what's out there according to scans like Dan Farmer's).... and of course running something simple but effective. Then there is the issue of hiring expertise; one expert could support 50 to 100 sites of the 'strong home version' category. And of course there are the NON OS solutions like PIX (!@!) Marcus's DOS loaded firewall, Sidewinder (which can be viewed as not being an OS). And if we take the view that "a firewall is the network's response to poor host security", we can always have good host security ;-) There are always more alternatives. Not least of all because the technology moves on..... /anton ## Reply End ##
Current thread:
- RE: chroot useful?, (continued)
- RE: chroot useful? Joseph Judge (Nov 17)
- Re: chroot useful? Paul McNabb (Nov 17)
- Re: chroot useful? Paul McNabb (Nov 17)
- Re: chroot useful? C. Harald Koch (Nov 20)
- Re: chroot useful? Anton J Aylward (Nov 20)
- Re: chroot useful? chuck yerkes (Nov 21)
- Re: chroot useful? Adam Shostack (Nov 21)
- Re: chroot useful? chuck yerkes (Nov 21)
- Re: chroot useful? Paul McNabb (Nov 20)
- Re: chroot useful? Colin Campbell (Nov 21)
- Small code (was Re: chroot useful?) chuck yerkes (Nov 23)
- Re: chroot useful? Colin Campbell (Nov 21)
- Re: chroot useful? Anton J Aylward (Nov 21)