Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Custom Unix server installations -- to harden extens ively ?

From: "Loomis, Rip" <GILBERT.R.LOOMIS () saic com>
Date: Fri, 16 May 2003 09:01:36 -0400


Well, once upon a time, there was a distribution called 
"Storm Linux" which was designed, from day one, to be a firewall.   



It may be stating the obvious, but something that may have 
been secure in 2001 will not be secure today [...]



Since it's Debian, can YOU say apt-get ????


Hmm.  It was *derived* from Debian, but anything that was done
by Storm Linux to change the default Debian installation is now
at least one of the following:
  - Incorporated into the Debian install already
  - Superseded by a later Debian official change to the same
    package (and therefore gone as soon as you do an apt-get)
  - No longer a good idea, because it is based on assumptions
    that are no longer true
  - Present on your system after an apt-get, but no longer
    working correctly because the behavior of some related
    package has changed in the meantime
  - Maybe, JUST MAYBE still worth doing and it will still be
    active on your system--but since no one's maintaining
    Storm Linux and few are using it, it'll be damnably hard
    to know which things are in this category and to ensure
    they're effectively used.

I like Debian a lot and use it every day.  There are a lot of
security-relevant packages which could be installed and would
probably do 90% of what Storm Linux was intended to do--they
just won't all be installed by default.  There have also been
a few changes/improvements to the underlying kernel in the
meantime.

I can't fathom why anyone would install Storm Linux and then
update to current Debian.  Why not just come up with a
very specific Debian install that meets your needs?  How are
any remaining Storm Linux-specific packages actually going
to be a net gain for you?

If it helps, it looks as though I'll be working with a co-worker
to "port" the cisecurity.org Linux scoring tool (currently only
handles RedHat and Mandrake) over to Debian.  That, plus the
existing Debian "bastille" package, should at least make it
easier to set up a bastion host, if not a full-up firewall.

--
Rip Loomis
Senior Systems Security Engineer, SAIC CIST
Brainbench MVP for Internet Security | http://www.brainbench.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: