Firewall Wizards mailing list archives
Re: Hardening, (was Re: chroot useful?)
From: "Paul D. Robertson" <proberts () clark net>
Date: Thu, 20 Nov 1997 18:18:53 -0500 (EST)
On Mon, 17 Nov 1997, Marcus J. Ranum wrote:
I'm not convinced that hardening the O/S is worthwhile. If you are going to go that far, just do away with the O/S entirely and replace
That really depends on how 'hardened' the OS is, and what is intended to sit there. For firewalls in general, 'hardening' the system is an easier win than hardening the OS, and increases the level of assurance perceptably. Sometimes there is some value in that, but oftentimes there isn't enough significant stuff running on the bastion to warrant that level of protection, since you would expect the firewall code itself to be done well. On the other hand, I'm looking at the assurance level of TCB OS' for things like certain 'extranet' Web servers, where I perceive value in the higher level of assurance and more significant degree of compartmentalization available. When the concept of superuser is gone, and the ability to grant ability is set in stone with strong audit or completely removed from the machine after configuration, I think there's great value. It's more about data integrity and access than machine level services though IMO.
because you know it's either going to work, or lock up solid. It's all really a kind of nitpick point anyhow, since the most likely failure mode for the firewall is going to be user configuration errors or the incoming traffic problem.
Agreed. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () clark net which may have no basis whatsoever in fact." PSB#9280
Current thread:
- Re: chroot useful?, (continued)
- Re: chroot useful? Paul McNabb (Nov 14)
- Re: chroot useful? Anton J Aylward (Nov 15)
- Re: chroot useful? Steven M. Bellovin (Nov 16)
- Re: chroot useful? Anton J Aylward (Nov 15)
- Re: chroot useful? Darren Reed (Nov 16)
- Re: chroot useful? Anton J Aylward (Nov 16)
- Re: chroot useful? Anton J Aylward (Nov 16)
- Re: chroot useful? Darren Reed (Nov 16)
- Re: chroot useful? Rick Murphy (Nov 17)
- Hardening, (was Re: chroot useful?) Marcus J. Ranum (Nov 20)
- Re: Hardening, (was Re: chroot useful?) Paul D. Robertson (Nov 21)
- Re: chroot useful? C. Harald Koch (Nov 20)
- Re: chroot useful? Darren Reed (Nov 16)
- Re: chroot useful? Wolfgang Ley (Nov 16)
- Re: chroot useful? Darren Reed (Nov 16)
- Re: chroot useful? Aleph One (Nov 17)
- syscall wrappers (was Re: chroot useful?) Bennett Todd (Nov 17)
- Re: syscall wrappers (was Re: chroot useful?) George Ross (Nov 20)
- Re: chroot useful? Darren Reed (Nov 20)