In message <[EMAIL PROTECTED]> , "Paul D. Robertson" writes: [And I can already see myself falling for Paul's bait.]
>On Thu, 11 Apr 2002, Simon J. Gerraty wrote: > >> >proxies to all interfaces anymore. Also, since most are hybrids, they >> >normally also packet filter everything on OSen where you can't just rip >> >out all the non-proxy stuff (Solaris anyone?.) >> >> Actually you can remove big hunks of solaris's kernel. Just rm -f the >> modules. You keep doing this until the box won't boot, then reinstall >> from scratch, and repeat up to just before the last thing you removed :-) [liberally snipped for brevity] :-) Nice approach. Normally, once you install just core packages and remove the most obvious unimportant crud that still remails in the core install, you're pretty safe. Then, if you want to, you can remove kernel modules and shoot yourself in the foot a couple of times while doing it. (Yes, been there, done that in my previous life.) >Yes, but you can't rip everything out if you expect to run a commercial >firewall's GUI. Sure you can. It's a Good_Thing(sm). > Solaris wants rpcbind for the X font server for instance. >Ripping listening sockets out of CDE *sucks* and is non-trivial. That's true, but people really _should_ know better than running Xserver and *gasp* CDE X manager on the firewall box. Operative word being *should*. :-) >Compiling IPFilter gets to be unfun if you don't have a Sun compiler and >you're running 64-bit (download the compiler, install it, yadda, yadda, >yadda.) *Sigh* You're right. IPF on Solaris 7 or 8 can be a bit of a problem, but many have found ways to obtain 64-bit IPF. Trusting other people's packages[0] is yet another one of those things that people shouldn't do, but still do it. > The long and short of it is that manually it's at least a full day to >patch and harden and assumes things that most sites that aren't big Solaris >shops don't have (admin clue being #1.) Yes, but then again, people should invest at least a day in deploying new pieces of software and hardware. And after you've done it once, document it. Then rebuild whatever you're implementing according to the document. Fix document where applicable and rebuild again. :-) Come to think of it, your argument actually covers most if not all cases where people deploy new piece of security equipment to be. Cheers, Saso P.S.: Thanks Mike and Paul for extremely amusing debate. [0] In this case, I'm talking about SUN packages, but it's the same for all the other kinds of physical and computer packages. _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
