RE: Custom Unix server installations -- to harden extens ively ?

[Steve Lunn <Steve.Lunn () homeowners co uk>]

Sorry if I'm a little late to this discussion, but I've only just
found the mailing list. If it's already been said before, I'm
sorry...

The National Security Agency(1) have a security enhanced version
of Linux available from their website(2).

They also have a range of security recommendation guides(3) for
hardening OS's, mail and web servers, and routers.

They are well worth a read and they are free.

Regards,

Steve

Links
1 http://www.nsa.gov/
2 http://www.nsa.gov/selinux/index.html
3 http://www.nsa.gov/snac/index.html

-----Original Message-----
From: Loomis, Rip [mailto:GILBERT.R.LOOMIS () saic com]
Sent: 16 May 2003 14:02
To: firewall-wizards () icsalabs com
Subject: RE: [fw-wiz] Custom Unix server installations -- to harden
extens ively ?



> > > Well, once upon a time, there was a distribution called 
> > > "Storm Linux" which was designed, from day one, to be a firewall.   

> > It may be stating the obvious, but something that may have 
> > been secure in 2001 will not be secure today [...]

> Since it's Debian, can YOU say apt-get ????

Hmm.  It was *derived* from Debian, but anything that was done
by Storm Linux to change the default Debian installation is now
at least one of the following:
  - Incorporated into the Debian install already
  - Superseded by a later Debian official change to the same
    package (and therefore gone as soon as you do an apt-get)
  - No longer a good idea, because it is based on assumptions
    that are no longer true
  - Present on your system after an apt-get, but no longer
    working correctly because the behavior of some related
    package has changed in the meantime
  - Maybe, JUST MAYBE still worth doing and it will still be
    active on your system--but since no one's maintaining
    Storm Linux and few are using it, it'll be damnably hard
    to know which things are in this category and to ensure
    they're effectively used.

I like Debian a lot and use it every day.  There are a lot of
security-relevant packages which could be installed and would
probably do 90% of what Storm Linux was intended to do--they
just won't all be installed by default.  There have also been
a few changes/improvements to the underlying kernel in the
meantime.

I can't fathom why anyone would install Storm Linux and then
update to current Debian.  Why not just come up with a
very specific Debian install that meets your needs?  How are
any remaining Storm Linux-specific packages actually going
to be a net gain for you?

If it helps, it looks as though I'll be working with a co-worker
to "port" the cisecurity.org Linux scoring tool (currently only
handles RedHat and Mandrake) over to Debian.  That, plus the
existing Debian "bastille" package, should at least make it
easier to set up a bastion host, if not a full-up firewall.

--
Rip Loomis
Senior Systems Security Engineer, SAIC CIST
Brainbench MVP for Internet Security | http://www.brainbench.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


Homeowners Group consists of Homeowners Friendly Society Limited, Registered
and Incorporated under the Friendly Societies Act 1992, Reg. No. 964F,
Homeowners Investment Fund Managers Limited, Reg. No. 3224780, Homeowners
Financial Administration Limited, Reg. No. 4301736 and Homeowners Membership
Services Limited, Reg. No. 3091667, all registered at Hornbeam Park Avenue,
Harrogate. HG2  8XE. Tel: 01423 855000    Web: http://www.homeowners.co.uk 

Homeowners Friendly Society Limited and Homeowners Investment Fund Managers
Limited form the Homeowners Marketing Group. Both organisations are
Regulated by the Financial Services Authority (FSA). 

Homeowners Financial Administration Limited and Homeowners Membership
Services Limited are non-regulated limited companies. 

This e-mail is intended only for the person named as recipient. The contents
are confidential. If you are not the intended recipient of this e-mail,
please notify us as soon as possible and delete it. If you are not the
intended recipient of the e-mail, any use by you is prohibited.