On Tue, 19 Feb 2002, Paul D. Robertson wrote:
[SNIP]
>
> The OBSD work really has more relevence in servers than firewalls, as most
> of the exploited services shouldn't be running on a firewall in the first
> place. Other than the ICMP kernel bug recently, there's not much that
> should have affected a well-configured Linux firewall in the last couple
> years.
It can't be emphasized enough that many people now days to not install a
hardened firewall server. They install a user decktop based system with
firewall features added, making it more a 'personal firewall' system then
a real hardened and specifically defined service system. Far too many of
the firewalls implemented in any of the BSD's, or linux variants are full
installs of the whole package sets and some often include other sweet
little toys and trinkets that work mostly to weaken the OS/firewalling
base. This is the same with many of the other exposed kind of systems
folks deploy these days. many sendmail servers, DNS servers and web
systems are fully installed OS', all the bells and toys and trinkets and
little if any real hardening has taken place to limit the services running
on the system. Firewalls and exposed systems need to be locked down to
limit the potential for exploit. These should be systems dedicated to a
task, and the only functionality loaded on such should be those specific
tools that serve the dedicated function of the system being provisioned.
This makes it much easier for the admin of such systems to track potential
bugs in a limited number of services as well, dedicated bug tracking, if
you will.
Thanks,
Ron DuFresne
>
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson "My statements in this message are personal opinions
> [EMAIL PROTECTED] which may have no basis whatsoever in fact."
>
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
