Firewall Wizards mailing list archives
Re: chroot useful?
From: chuck yerkes <Chuck () yerkes com>
Date: Thu, 20 Nov 1997 22:11:52 -0500 (EST)
It is claimed, but unverified, that Anton J Aylward wrote:
At 05:27 PM 17/11/97 -0600, Paul McNabb wrote: ## Reply Start ##IMHO, stripping down a system by removing unnecessary utilities, services, and processes reduces the chances of leaving a hole open and is absolutely essential for making a firewall "secure", but it does little towards making the remaining services more secure.
Practically, running named, and web servers, and such in a READONLY chroot environment has gotta leave you open you to fewer issues than NOT running it like that. Most crackers run toolkits with little clue as to what's going on and these things will help slow them down.
What about stripping down the kernel and removing things of dubious nature?
But many useful things are dubious. It's just that in a highly secure context that they become dubious. Let me throw some gas on the fire and say this: Basically, using a general purpose OS is not a good idea for a firewall. Using the PROTOCOLS of a GP/OS IS a good idea. By this I mean that configuring via a file or a secure web server (or whatever) and logging via syslog is good. I'd say that taking Unix, rather than removing what's bad to make it secure, start empty and add only what you need. Generally this means multi-tasking, a TCP/IP stack, filters, a variety of daemons that can proxy and stuff to do logging and alterting. Sounds easy enough, but when you add shells and interactive users, you have to add a lot of /usr/bin/. I know *I* can get Unix down to about 40 meg and still log in - A normal binary OS distibution and pre-source revision. It's just not that easy to do maintainance of the machine. I've worked with a bunch of firewall products and have yet to be impressed with most of them. The best I can usually say is that some are ok for a software product that's genericly useable. chuck
Current thread:
- Re: chroot useful?, (continued)
- Re: chroot useful? Anton J Aylward (Nov 17)
- Re: chroot useful? Darren Reed (Nov 20)
- Firewalling DCOM and brethren David C Niemi (Nov 21)
- Re: Firewalling DCOM and brethren Magossa'nyi A'rpa'd (Nov 21)
- Re: chroot useful? Darren Reed (Nov 20)
- Re: chroot useful? Anton J Aylward (Nov 17)
- Re: chroot useful? Anton J Aylward (Nov 17)
- RE: chroot useful? Joseph Judge (Nov 17)
- Re: chroot useful? Paul McNabb (Nov 17)
- Re: chroot useful? Paul McNabb (Nov 17)
- Re: chroot useful? C. Harald Koch (Nov 20)
- Re: chroot useful? Anton J Aylward (Nov 20)
- Re: chroot useful? chuck yerkes (Nov 21)
- Re: chroot useful? Adam Shostack (Nov 21)
- Re: chroot useful? chuck yerkes (Nov 21)
- Re: chroot useful? Paul McNabb (Nov 20)
- Re: chroot useful? Colin Campbell (Nov 21)
- Small code (was Re: chroot useful?) chuck yerkes (Nov 23)
- Re: chroot useful? Colin Campbell (Nov 21)
- Re: chroot useful? Anton J Aylward (Nov 21)