Yes, separate boxes for separate applications, which also adds to overhead
and administrative headaches. But that is another ball of wax. The real
way to go is to almost eliminate the application from the O/S, as in
specialized O/Ses installations, as in bundling something like TITAN with
the application if on Solaris, that way the only services that are open is
something specifically set with the application, but that would really
going back to a concept of kernel based applications, tuning the kernel for
specific uses, and discarding the rest of the junk.. Hmm, same idea being
approached with IDS software.
/mark
At 10:17 PM 8/31/00 +0200, Mikael Olsson wrote:
>[EMAIL PROTECTED] wrote:
> >
> > Actually, it was not really a remot compromise but an oversight in QA,
> > where such that when the pieces were integrated, the Gauntlet firewall was
> > then vulnerable.
>
>Blah. It was delivered r00table out-of-the-box. This makes the finished
>product vulnerable. Period. Now, if this had been end users installing
>stuff on the firewall, it had been another matter, but it wasn't.
>
>To me, this just proves again that you shouldn't load one single
>machine up with a bazillion of services. Separate machines is
>the way to go.
>
>
>To steer this in another direction and reconnect to my "Basic firewall
>design concepts" post from two weeks ago (Hi, Jefferey! :)), I'd like
>to talk a bit about sidewinder again. Well, actually, more about the
>concept of "trusted OSes" than sidewinder, but since that firewall is
>a representative of said category, here goes...
>
>Now, the tOS idea is to compartmentalize the operating environment so
>that a compromised FTP proxy process won't gain control over the
>firewall kernel or other processes. Fine. Assume that this works.
>Being a C and assembler coder, I don't believe it really does, but
>that's another story. Let's just for the sake of argument assume
>that it actually works.
>
>Now, assume that said FTP proxy process is compromised and completely
>under the control of an external user. What, pray tell, keeps this
>FTP proxy from connecting to pretty much any port on any host
>behind the firewall?
>
>Hmm?
>
>Food for thought, I say...
>
>Regards,
>Mikael Olsson
>
>--
>Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 VRNSKVLDSVIK
>Phone: +46-(0)660-29 92 00 Fax: +46-(0)660-122 50
>Mobile: +46-(0)70-66 77 636
>WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
