Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Securing a Linux Firewall

From: David Lang <david.lang () digitalinsight com>
Date: Wed, 24 Jul 2002 13:17:10 -0700 (PDT)
when you are considering things for strippng off the box you should think
about what you want on there for debugging and leave that there.

for example on a firewall you may want to leave something like perl or
tcpdump on there even though you don't use them for normal firewall
operations becouse you want them on there for debugging, but do you really
need apache and gnome on there? (just picking a couple large packages as
examples)

David Lang

On Tue, 23 Jul 2002, Carson Gaspar wrote:


There are a few reasons I don't like the "strip everything off the box"
mentality.

- It frequently makes debugging problems nearly impossible, as the
necessary tools are not present.

- Every time a patch or a new OS version is released, the set of files that
are required changes. Also, new privileged binaries may appear.

I've had to maintain "jumpstart"-like images for secure servers.
Maintaining a "known-good" list for privileged binaries is relatively
straightforward. Maintaining a "known-good" list of _all_ binaries is a
nightmare. I further assert that maintaining a "known-bad" list is a lost
cause.

--
Carson

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: