Firewall Wizards mailing list archives

Re: chroot useful?

From: Anton J Aylward <anton () toronto com>
Date: Mon, 17 Nov 1997 06:52:54 -0500

At 11:38 AM 17/11/97 +1100, Darren Reed wrote:
## Reply Start ##

In some mail I received from Anton J Aylward, sie wrote


At 07:12 PM 16/11/97 +1100, Darren Reed wrote:
## Reply Start ##

[...mjr's email deleted...]

So, how many firewalls out there implemented with any of the common
operating systems (be they free or commercial) actually do this ?


Why not ask them.  Many claim to run "hardened" versions of 
BSD or LINUX.  Vulnerabilites and exploits are well publicized, 
and many of the developers read these lists.   I doubt many
are going to be so arrogant as to take a NIH approach to something
Marcus has contributed to the state of the technology ;-)


Well, the majority of the firewall market doesn't run on a "hardened"
version of the OS because that's not what FW-1 uses.


Interesting logic and interesting way of expressing it.
I've just thumbed thru some literature in my filing cabinet,
such as it is, and yes, the first vendor I looked at, BorderWare,
claims to use a hardened kernel.  

We can throw this back and forward like a shuttlecock, "A does",
"B doesn't" .....  but its like a mathematical proof.  That ONE
does means that one or more HAS made kernel changes.  

Now actually Borderware has a user interface that hides the OS 
from the end user very effectively - too effectively I've heard
some people say.   The users don't have to know how to hack the 
kernel.  It applied when I first used UNIX back in '78 (when I
was on the way to becoming a kernel maintenance programmer) and
it applies today.

/anton


## Reply End ##
--------------------------------------------------------------------------
Anton J Aylward                  | "Quality refers to the extent to which 
The Strahn & Strachan Group Inc  | processes, products, services, and 
Information Security Consultants | relationships are free from defects, 
Voice: (416) 421-8182            | constraints and items which do not add
  Fax: (416) 421-8183            | value." - Dr. Mildred G Pryor, 1995

Current thread:

Hardening, (was Re: chroot useful?), (continued)
- - - Hardening, (was Re: chroot useful?) Marcus J. Ranum (Nov 20)
    - Re: Hardening, (was Re: chroot useful?) Paul D. Robertson (Nov 21)
    - Re: chroot useful? C. Harald Koch (Nov 20)
- Re: chroot useful? Marcus J. Ranum (Nov 16)
  - Re: chroot useful? Wolfgang Ley (Nov 16)
  - Re: chroot useful? Darren Reed (Nov 16)
    - Re: chroot useful? Aleph One (Nov 17)
  - syscall wrappers (was Re: chroot useful?) Bennett Todd (Nov 17)
    - Re: syscall wrappers (was Re: chroot useful?) George Ross (Nov 20)
- RE: chroot useful? Y. W. Ko (Nov 16)
- Re: chroot useful? Anton J Aylward (Nov 17)
  - Re: chroot useful? Darren Reed (Nov 20)
    - Firewalling DCOM and brethren David C Niemi (Nov 21)
    - Re: Firewalling DCOM and brethren Magossa'nyi A'rpa'd (Nov 21)
- Re: chroot useful? Anton J Aylward (Nov 17)
- RE: chroot useful? Joseph Judge (Nov 17)
- Re: chroot useful? Paul McNabb (Nov 17)
- Re: chroot useful? Paul McNabb (Nov 17)
  - Re: chroot useful? C. Harald Koch (Nov 20)
- Re: chroot useful? Anton J Aylward (Nov 20)
  - Re: chroot useful? chuck yerkes (Nov 21)

(Thread continues...)