Re: [fw-wiz] Securing a Linux Firewall

From: Carson Gaspar (carson@taltos.org)
Date: 07/31/02

• Next message: Carson Gaspar: "Re: [fw-wiz] Securing a Linux Firewall"
• Previous message: Roger Marquis: "Re: [fw-wiz] Disecting the Cisco PIX"
• In reply to: Stephen P. Berry: "Re: [fw-wiz] Securing a Linux Firewall"
• Next in thread: Stephen P. Berry: "Re: [fw-wiz] Securing a Linux Firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Carson Gaspar <carson@taltos.org>
To: firewall-wizards@honor.icsalabs.com
Date: Wed Jul 31 21:17:01 2002

--On Tuesday, July 30, 2002 4:41 PM -0700 "Stephen P. Berry"
<spb@meshuggeneh.net> wrote:

> When you have to cope with upgrades, version migrations, patches and
> that sort of thing, keep in mind that you don't have to redo everything
> from scratch---you're just dealing with the deltas, and then only if
> they apply to the widgets that are a part of your minimal install. This
> sort of thing is always a pain -regardless- of what your typical machine
> looks like, and I just don't see how having a bare bones system makes
> it more painful. It certainly hasn't been in my experience.

As a matter of curiosity, what is your experience? Platform, types of
applications supported, number of systems/users? This is a serious question
- it could be that our viewpoints are both valid, but for different
environments.

My experience with maintaining Solaris builds for tens of thousands of
machines running just about anything you can imagine contradicts your
statements. The amount of churn in what is required between Solaris
versions is large. After attempting to maintain a "minimal" install, that
still had way too much setuid crap (due to the granularity of Sun
packages), or that broke Sun's package mechanisms, I stopped doing it.
Solaris 9 is supposed to be better about package granularity, but I haven't
touched the beast yet.

My assertion is that the maintenance cost of maintaining a "minimal" build,
or multiple "minimal" builds (minimal for what? A firewall? A Sybase
server?), is too high for the minimal security gained from it. Nobody has
given me sufficient evidence of either great security gains, or of reduced
maintenance costs, for me to change my assertion.

-- 
Carson

---

• Next message: Carson Gaspar: "Re: [fw-wiz] Securing a Linux Firewall"
• Previous message: Roger Marquis: "Re: [fw-wiz] Disecting the Cisco PIX"
• In reply to: Stephen P. Berry: "Re: [fw-wiz] Securing a Linux Firewall"
• Next in thread: Stephen P. Berry: "Re: [fw-wiz] Securing a Linux Firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages GCC 5.01p (was: Re: gcc/gnat 3.3) ... > sort of Solaris package. ... i.e. it denotes one of ACT's stable releases. ... (comp.lang.ada) Re: OpenVPN Solaris 10 server ... I want to run a vpn service on my solaris 10 server. ... Has anyone got this sort of thing working? ... package. ... (comp.unix.solaris) Re: XDMCP on Solaris 9 ... >Cygwin/XFree86 and I can't seem to figure out what the problem is. ... >I've checked to make sure a font server is running on the Solaris box: ... >Platform minimum required Fonts Package ... (comp.unix.solaris) Re: package the right way? ... I'm compiling a bunch of notes I have on various plants. ... species, I'll have things listed like scientific name, common name, ... So, is the right approach here to create a new package, say "plants" ... you're following this sort of markup strictly then just about anything ... (comp.text.tex) Reinstalling OS Service on a Server with Patched OS Service ... After initial install and setup of a Solaris 7 sun4m server, ... Now I try to reinstall the OS service from the Solaris 7 CD-ROM with the ... patched resulting in being different than the package on your media. ... You will have to backout all patches that patch this package before ... (SunManagers)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)