Firewall Wizards mailing list archives
Re: Securing a Linux Firewall
From: "Michael A. Williams" <mike () netxsecure net>
Date: Sat, 03 Aug 2002 19:59:13 +1200
Carson Gaspar wrote:
--On Thursday, August 01, 2002 6:42 PM -0700 "Stephen P. Berry" <spb () meshuggeneh net> wrote:In short, if you're interested in securing the box, you're either already doing much of the work required to come up with a minimal install or you're not actually securing it.No. Doing an basic application security analysis does not require doing the full filesystem dependency analysis. And in reality, doing so is not possible, as you cannot know all the dependencies in a closed-source product unless you can fully excercise all functions.
Unfortunately our software kernel patches are not available for a closed source environment, for the *bsd systems that they are available for and the chosen OS version running below secure level two (our warning versus deny stance) the 'full filesystem dependency analysis' is achieved via syslog warnings, add as desired to the signature database and repeat until a signature database to suit the intended requirement is created then move the system to secure level two, check and then once the signature database is final either burn to CD or gzip for distribution. I guess we fall into the minimal install category with our signed_exec and signature database build requirements, so far we support only a very small number of boxen across two OS's with several versions of each. ...
Any attacker with half a brain can install any tool he wants on the box, once he's on the box. Yes, having a compiler installed makes his life easier. But not having one doesn't stop him. It may indeed slow him down. So would running VMS.
This specifically is what our trojanproof.org signed_exec kernel patches are attempting to stop.
All the arguments for having a minimal install involve "raising the bar" and making an attacker's life more difficult. But it also makes the admin's life more difficult, in a real and monetarily measurable sense. And doesn't prevent a determined attacker from doing anything.
Yes 'makes the admin's life more difficult, in a real and monetarily measurable sense' is definitely true with our signed_exec implementation however we are at least 'making an attacker's life more difficult'. -- Mike. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Securing a Linux Firewall Stephen P. Berry (Aug 01)
- Re: Securing a Linux Firewall Carson Gaspar (Aug 01)
- Re: Securing a Linux Firewall Stephen P. Berry (Aug 01)
- Re: Securing a Linux Firewall Carson Gaspar (Aug 02)
- Re: Securing a Linux Firewall Michael A. Williams (Aug 03)
- Re: Securing a Linux Firewall Stephen P. Berry (Aug 06)
- Re: Securing a Linux Firewall Stephen P. Berry (Aug 01)
- Re: Securing a Linux Firewall Carson Gaspar (Aug 01)
- <Possible follow-ups>
- Re: Securing a Linux Firewall Stephen P. Berry (Aug 01)
- Re: Securing a Linux Firewall Carson Gaspar (Aug 01)
- Re: Securing a Linux Firewall Stephen P. Berry (Aug 01)
- Re: Securing a Linux Firewall Carson Gaspar (Aug 01)
- RE: Securing a Linux Firewall Litscher, Mark (Aug 06)