Test Systems - was Re: Hardening

[John Lines <John.Lines () aeat co uk>]

Petri Virkkula wrote :
>       I think changing things should be done and tested in a test
>       environment where you can have for example another machine
>       with all manual pages you need.
>
>
>       Petri
I was begining to think we were the only people who run a test system !

Ever since we first set up our connection to the internet (even before we
had a firewall in its present format - it started out as a dual hosted,
tightly controlled multiuser system) we had a test machine. Everything which
went onto the firewall was installed and tested on the test machine, and then
the components required for it to work were copied to the firewall.

This automatically gives you a lean system on the firewall, where you know
what each file is there for, and you can update your tripwire database whenever
you update the system.

Note that this approach is better suited, in some respects, to an organisation
running a home brew firewall - most commercial products are based on a model
of operation where there is no testing (because there is no chance that
they might not work perfectly first time in your environment !) and they
are installed directly onto the live machine.

This approach also tends to require the live system to be taken out of
service for updates - for quite a long time while the new system is configured.
It also means that the configuration tools live on the live system.

I would like to see manufacturers of security related products (especially
firewalls and web servers) produce them in a mode where you can use their
fancy configuration front ends on an internal test machine, and then produce
a live environment, for example as a tar file with just the required parts.

Coupled with this should be a seperation of management tools, so that you
could still, for example, add users through a fancy interface (to the live
system)



        John Lines