> To perl, or not to perl; that is the question. Literally.
>
> A request has been made to install perl on the firewall. (It
> would run some system audit routines, bring it in line with the
> rest of the internal unix systems.) Given the choice, I'd rather
> not. Why give the hackers yet another tool to use when they
> break into the firewall? I wouldn't put a C compiler on the system
> for the same reason. The argument for installing perl is that it's
> much more "secure" than something like C, and no more insecure
> than shell scripts.
>
> I'd be most grateful for opinions, pro and con, from the list.
Lyn,
I must say that I'm a minimalist. I believe a firewall, or any other host
for that matter, should not contain anything which is does not use.
Today's systems have all kinds of tools loaded because they are general
computers that can be used for many purposes thus numerous tools need to
be loaded to make it easy for the user to load and operate. The inherent
problem is that insecurity is the result.
For firewalls, I like a floppy disk or CD-ROM based system, with no hard
disk, that only boots the basic system with the appropriate tools included.
Linux has one called "The Linux Router Project" and it's offshoots.
FreeBSD has a derivative called PicoBSD. These systems use the bare
essentials only with no way to write anything to any medium without cutting
a new floppy or CD-ROM (obviously CD-ROM is a better way to do this). This
way the hacker cannot modify anything and cannot load his/her own tools.
This make it very difficult, if not impossible, for the non-cracker elite
to do much of anything once they get to the firewall.
Anyway, minimal is the mane of the game. Setup logging (/etc/syslog.conf)
to log to an internal host. This way you do not have to have a writable
device on the firewall.
Just my $0.02 worth.
Paul
---------------------------------------------------------------------------
Paul B. Brown [EMAIL PROTECTED]
President
Brown Technologies Network, Inc. http://www.btechnet.com/
Systems and Applications Design, Development, Deployment, and Maintenance
---------------------------------------------------------------------------
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
