RE: [fw-wiz] Securing a Linux Firewall

From: David Lang (david.lang@digitalinsight.com)
Date: 07/24/02


From: David Lang <david.lang@digitalinsight.com>
To: Carson Gaspar <carson@taltos.org>
Date: Wed Jul 24 16:28:01 2002

when you are considering things for strippng off the box you should think
about what you want on there for debugging and leave that there.

for example on a firewall you may want to leave something like perl or
tcpdump on there even though you don't use them for normal firewall
operations becouse you want them on there for debugging, but do you really
need apache and gnome on there? (just picking a couple large packages as
examples)

David Lang

On Tue, 23 Jul 2002, Carson Gaspar wrote:

> There are a few reasons I don't like the "strip everything off the box"
> mentality.
>
> - It frequently makes debugging problems nearly impossible, as the
> necessary tools are not present.
>
> - Every time a patch or a new OS version is released, the set of files that
> are required changes. Also, new privileged binaries may appear.
>
> I've had to maintain "jumpstart"-like images for secure servers.
> Maintaining a "known-good" list for privileged binaries is relatively
> straightforward. Maintaining a "known-good" list of _all_ binaries is a
> nightmare. I further assert that maintaining a "known-bad" list is a lost
> cause.
>
> --
> Carson
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>