Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Unix Hardening for FW installation

From: "Marcus J. Ranum" <mjr () nfr net>
Date: Sun, 07 Nov 1999 15:53:26 -0500


The bottom line is that for a key security device like firewall, I
would prefer to have more control, rather than heavily rely on the
vendor to provide maintenance.


Sure. All chainsaw vendors have to cater to their customers that
want to juggle their products instead of simply using them for
their intended purpose.

I used to feel the same way Ellis does, before I was in the
position of the vendor and got a better understanding of the dynamics
of the other side. Vendors worry about (honestly, we do!) customers
who think they know what they are doing, who "fix" things and
get themselves in trouble. Back in my firewall days, I had a
customer who "got inside" the BSDI-based firewall I sold him, and
installed a web server on it - because he could. Don't complain
to the chainsaw maker if you have trouble catching it!

There are really two issues that I see which affect the situation:
        1) How long it takes the vendor to produce upgrades and how
                long it takes to install them when they do.
        2) How critical the resource is, in terms of up-time.

Many organizations would be absolutely fit to be tied if they had
to take their firewalls off the air for a week while they waited
for a vendor to produce a patch. Based on observation, I suspect
that most sites would rather run a known-to-be-insecure firewall
than be off the Internet for a week.

To me, (I'm biassed, now that I'm a vendor) the important issue
is how fast the vendor can deliver and install releases. I suspect
most releases are not to fix security problems, anyhow, but rather
to add more features. From the vendor's standpoint, controlling
this improves the security (nobody will add a web server to an
NFR on my watch!) since it lowers the chance of out-of-maintenance
changes. It was these issues that motivated me to develop our
appliance methodology. Unless you carefully dissect our disk
and burn your own CDROM you're not going to be able to juggle our
chainsaw. I believe firewalls should be built the same way, by
the way. ;) A firewall should not have a command interpreter
on it, nor should it have login processes, etc. In return for
producing a restrictive system, the vendor has to commit to being
responsive about pushing out upgrades when necessary. Getting them
installed is the next trick. That's the other reason I like the
10-second "swap a CDROM" upgrade model. I've seen too many
sites' security erode because system/network managers did not
have time to install new releases.

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr
Previous By Date Next
Previous By Thread Next

Current thread: