|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Unix Hardening for FW installation
Ellis Luk (e_luk
hotmail.com)
Mon, 01 Nov 1999 17:28:16 PST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Marcus J. Ranum: "Re: Unix Hardening for FW installation"
- Previous message: Drexx Laggui: "Re: packet too large and/or Ping Of Death ???"
- In reply to: Mikael Olsson: "Re: packet too large and/or Ping Of Death ???"
- Next in thread: Marcus J. Ranum: "Re: Unix Hardening for FW installation"
- Reply: Marcus J. Ranum: "Re: Unix Hardening for FW installation"
Marcus Ranum wrote:
>I used to believe in "stripping" operating systems. Now I believe
>in "building" them. Rather than removing what I think may be bad,
>I prefer to start with a bootstrap loader and add the things Ineed.
>:)
>The NFR appliance (which I happened to do the first round of
>system integration for) was built in the manner described above.
>I took the bootstrap, added a kernel and filesystem, a minimum
>of devices, and then coded my own version of init and everything
>above kernel space.
This is also a topic that a few of us discussed recently.
I understand that if it is a passive device (like Intrusion detection
device), it may be a good idea to use "appliance". My reasoning is
that :
If the vendor make a mistake while building their basic OS for the
appliance, the worst situation is that the system is compromised and
I will become "blind" (in term of network activities). But, in
general, it will not compromise my network security since my IDS
appliance is placed outside my firewall, and it is not trusted.
However, for an active device like firewall, the mistake may became
very costly. That said, everyone make mistakes including SUN, BSDI, MS
etc. So what is the difference ? I believe that for those organisation
who heavily rely on the FW supplier for security maintenance, there
would not be much difference. (Actually, the security may be improved
because administrators will be more willing to upgrade/patch the FW.)
But to me, if a bug is found, I want to be able to implement the work
around ASAP, and then the vendor patch when it becomes available.
Of course, there may be no work around until the vendor can provide
a patch :-(
The bottom line is that for a key security device like firewall, I
would prefer to have more control, rather than heavily rely on the
vendor to provide maintenance.
I will be interested to hear other people's opinion.
-- Ellis______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
- Next message: Marcus J. Ranum: "Re: Unix Hardening for FW installation"
- Previous message: Drexx Laggui: "Re: packet too large and/or Ping Of Death ???"
- In reply to: Mikael Olsson: "Re: packet too large and/or Ping Of Death ???"
- Next in thread: Marcus J. Ranum: "Re: Unix Hardening for FW installation"
- Reply: Marcus J. Ranum: "Re: Unix Hardening for FW installation"
This archive was generated by hypermail 2.0b3 on Sun Nov 07 1999 - 03:33:33 CST