RE: Re: tcpdump on my firewall

["R. DuFresne" <dufresne () sysinfo com>]

One quick question, if the OS the fw runs on is sun based, do you make
sure snoop is removed also?

Opps, make that two quick questions, the second being, if you have no
account on the fw at all, who monitors or audits the system to make sure
it is policy compliant?

Thanks,

Ron DuResne

On Sat, 27 Oct 2001 hesselsp () ashaman dhs org wrote:

> I have enjoyed reading all the replies to my post.  Here are a few
> comments in response.
>
> 1. For those of you telling me to make a decision reflecting my security
> policy.  The policy is simple; only have things on the firewall that are
> required.  The bone of contention here is, is tcpdump required?  Luckily I
> was able to evade this question thanks to the help of Jose Nazario who
> gave me a convenient URL to security problems that tcpdump has had in
> the past.  Adding to that was the fact that all of the switches in the
> network have the required spec that they do port mirroring.
>
> 2. For those who suggest simplicity and minimalist is the best idea I
> totally agree.  I did not have vi in the image until one of the techs made
> a good case that it was required.
>
> 3. Chad Schieken stated,
> > 1. this is an invaluable troubleshooting tool. It's helped me develop a 
> > detailed understanding of poorly documented transactions/protocols in many 
> > situations.
>
> To which I agree completely, but I suggest that it is a tool best left on
> a laptop that you plug in as neccessary.
>
> 3. Chad Schieken also asked,
> > why did you reject the request in the first place?
>
> My rejection of the request was two fold.  Firstly, I reject all first
> time requests out of hand unless they are immediately obvious(like some
> insurance companies I have heard of:).  The reader my not like
> this policy, but it seems for now to be the only solution. Secondly
> installation of a piece of software that is not strictly required is
> against my policy.
>
> 5. Frederick M Avolio asked why I don't push it back to the tech and ask
> him for justification of why it should be on the firewall.  Fred was also
> quite disturbed that the tech might have an account on the firewall.
>
> Well this is my fault for not explaining very well.  The easiest way to
> think of my situation is that I am designing/prototyping/implementing the
> firewall and he is going to administer(read monitor) it.  He isn't allowed
> to install software without my say, but he certainly can strongly suggest
> things to be put on it.  When this firewall makes its way into the field,
> I SHALL NOT(rfc2119) have an account on these machines.  If it sounds
> strange.... well... there are alot of strange things out there :)
>
> 6. That tcpdump is a useful utility I agree.  That tcpdump is a utility
> that should be on my firewall I disagree.  While it is the case that
> anyone who roots my firewall can install libpcap and tcpdump on their own
> I will give to you.  But why should I do them the favour of installing it
> myself?
>
> Thank you everyone for your help to this point,

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards