Firewall Wizards mailing list archives
Re: Hardening, (was Re: chroot useful?)
From: "Jim Raykowski" <jimrski () cts com>
Date: Thu, 21 Nov 1996 01:20:50 -0800
Hello, What are some of the binaries you deleted from your systems. The reason I ask is that I am trying to make a linux 3.30 with kernel 2.0.30 more secure than out of the box/net. I installed an minimal system with just the things needed to boot and then re-compile the kernel for my system then added networking and that was it. I then re compiled the kernel again to add the networking hardware the un-installed the compiler and its things then un-installed the kernel sources. I then added another disk to the system and put the GNU compiler and kernel sources over there as best I could figure. Then un zipped TIS FWTK 2.0 and went to town setting it up. After it was installed I umount the disk with the compilers and various sources code on it and re-boot the system. I think it is secure and it seems secure after testing it with tools form the net to try and penetrate, that leads to allot more questions itself, the system. However, is there a list of programs that come with systems that should be deleted? Jim Raykowski jimrski () cts com raykowsj () nosc mil -----Original Message----- From: Marcus J. Ranum <mjr () nfr net> To: firewall-wizards () nfr net <firewall-wizards () nfr net> Date: Thursday, November 20, 1997 4:25 PM Subject: Hardening, (was Re: chroot useful?)
Rick Murphy writes:I only know the details of a couple of firewall products well enough to say that the "hardened OS" really isn't -I share Rick's experience. "Hardening" the O/S usually means something like: - we deleted some of the obvious binaries someone might use - we shut down a bunch of run-time servers from inetd.conf - we shut down a bunch of stuff from /etc/rc.boot - we may have done a few kernel hacks like the ones I talk about, but probably not - we added something like tripwire There was one vendor that used to sell a "hardened" firewall on a specially secured UNIX O/S -- basically it was a bait and switch: they had done a lot of work for a long time on NSA funded secure O/S' but the firewall was BSD with a few bits of the secure O/S technology stapled onto the side in a paper bag. Back when I worked for a vendor that sold workstations running a BSD-derived version of UNIX, the sales droids would often tell customers things like "It's BSD-based, but we fixed all the bugs." I actually heard on sales droid from one firewall vendor claim that "It runs on FreeBSD/Linux/BSDI/you guess, but we fixed all the bugs." Maybe that's what they mean when they say "hardened" :) I'm not convinced that hardening the O/S is worthwhile. If you are going to go that far, just do away with the O/S entirely and replace it with a simple program loader and bootstrap. DOS, for example. When Network-1 came out with a DOS-based firewall years ago a lot of folks gave them a hard time. I thought it was terrific design because you know it's either going to work, or lock up solid. It's all really a kind of nitpick point anyhow, since the most likely failure mode for the firewall is going to be user configuration errors or the incoming traffic problem. mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Current thread:
- Re: Hardening, (was Re: chroot useful?) Jim Raykowski (Nov 21)
- Re: Hardening, (was Re: chroot useful?) Marcus J. Ranum (Nov 23)
- Re: Hardening, (was Re: chroot useful?) Darren Reed (Nov 23)
- Re: Hardening, (was Re: chroot useful?) Marcus J. Ranum (Nov 23)
- Re: Hardening, (was Re: chroot useful?) Craig Brozefsky (Nov 23)
- Re: Hardening, (was Re: chroot useful?) Petri Virkkula (Nov 23)
- Re: Hardening, (was Re: chroot useful?) Craig Brozefsky (Nov 24)
- Test Systems - was Re: Hardening John Lines (Nov 24)
- Time for a new FWTK? chuck yerkes (Nov 24)
- Re: Time for a new FWTK? Marcus J. Ranum (Nov 24)
- Re: Time for a new FWTK? -= ArkanoiD =- (Nov 25)
- Re: Hardening, (was Re: chroot useful?) Darren Reed (Nov 23)
- Re: Hardening, (was Re: chroot useful?) Marcus J. Ranum (Nov 23)