Firewall Wizards mailing list archives
Re: Unix Hardening for FW installation
From: "Marcus J. Ranum" <mjr () nfr net>
Date: Sun, 07 Nov 1999 15:53:26 -0500
The bottom line is that for a key security device like firewall, I would prefer to have more control, rather than heavily rely on the vendor to provide maintenance.
Sure. All chainsaw vendors have to cater to their customers that want to juggle their products instead of simply using them for their intended purpose. I used to feel the same way Ellis does, before I was in the position of the vendor and got a better understanding of the dynamics of the other side. Vendors worry about (honestly, we do!) customers who think they know what they are doing, who "fix" things and get themselves in trouble. Back in my firewall days, I had a customer who "got inside" the BSDI-based firewall I sold him, and installed a web server on it - because he could. Don't complain to the chainsaw maker if you have trouble catching it! There are really two issues that I see which affect the situation: 1) How long it takes the vendor to produce upgrades and how long it takes to install them when they do. 2) How critical the resource is, in terms of up-time. Many organizations would be absolutely fit to be tied if they had to take their firewalls off the air for a week while they waited for a vendor to produce a patch. Based on observation, I suspect that most sites would rather run a known-to-be-insecure firewall than be off the Internet for a week. To me, (I'm biassed, now that I'm a vendor) the important issue is how fast the vendor can deliver and install releases. I suspect most releases are not to fix security problems, anyhow, but rather to add more features. From the vendor's standpoint, controlling this improves the security (nobody will add a web server to an NFR on my watch!) since it lowers the chance of out-of-maintenance changes. It was these issues that motivated me to develop our appliance methodology. Unless you carefully dissect our disk and burn your own CDROM you're not going to be able to juggle our chainsaw. I believe firewalls should be built the same way, by the way. ;) A firewall should not have a command interpreter on it, nor should it have login processes, etc. In return for producing a restrictive system, the vendor has to commit to being responsive about pushing out upgrades when necessary. Getting them installed is the next trick. That's the other reason I like the 10-second "swap a CDROM" upgrade model. I've seen too many sites' security erode because system/network managers did not have time to install new releases. mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Current thread:
- Re: Unix Hardening for FW installation Ellis Luk (Nov 06)
- Re: Unix Hardening for FW installation Marcus J. Ranum (Nov 07)