Firewall Wizards mailing list archives
RE: irix firewalls
From: "Loomis, Rip" <GILBERT.R.LOOMIS () saic com>
Date: Wed, 29 Nov 2000 11:49:58 -0500
Craig-- I was waiting to see if anyone else knew of any alternatives...but I would tend to agree with George's solution. In the general case, put something designed for security between the IRIX box(en) and potential threats. That's the same rule as for practically any general- purpose OS, though. [0] A possibly more helpful answer: During the last go-round at security products for IRIX I did (roughly 18 months ago) there were no commercial firewall vendors actively supporting IRIX--at best someone had a old version which they claimed would run on IRIX 6.x, but their 6.x usually meant 6.2. The changes between 6.2 and 6.5 are significant, and I would question how well firewall products for 6.2 will perform their functions on 6.5.x. IPFilter ( http://coombs.anu.edu.au/~avalon/ip-filter.html ) states that it runs on 6.2, but I'm not aware of anyone having gotten it running on 6.5. You might do a quick search or post to the IPFilter mailing list for help on that--and let me know if you get it running on 6.5. Other info might be found in an IRIX Security FAQ: http://www-viz.tamu.edu/~sgi-faq/faq/html-1/security.html A specific entry on IRIX firewalls (from 1996!) http://www-viz.tamu.edu/~sgi-faq/faq/html-1/security.html#10 basically says that TIS Gauntlet was still then available for IRIX--but I can't find any sign of it on NAI's current supported list. The TIS FWTK is potentially still an option if the license terms are acceptable, but do keep in mind that FWTK is showing some age. I took a quick look at the FWTK un-official site (start at http://www.fwtk.org/ ) and couldn't find anything specific about support for IRIX 6.5. Note on SGI security: I was involved in architecting a fairly significant SGI installation for a security- conscious portion of the US Government, and we're doing the Common Criteria evaluation of SGI IRIX, and having crawled inside IRIX I like it (from a security perspective) a lot more than I did 3 years ago. My perception is that SGI has lately been doing smart things to improve security, and has probably "turned the corner"--but there are still issues. By the time one strips all the SetUID root "neato whizbang" binaries off an SGI box, it's not always convincing to me that there's a big advantage to the SGI hardware over Sun/HP/Deq. As always, though, the choice of a proprietary UNIX is partially determined by the local expertise, experience with vendor service, installed hardware base, yada yada yada. Note that as with Sun and other vendors, SGI is somewhat constrained in how much they can improve the security of a default install without breaking certain functions that existing installations rely upon. That's what keeps hordes of integrators and consultants busy, as well as giving sysadmins less hair and more gray ones. SGI corporately (again, my perception) seems to be also moving away from IRIX and MIPS, and towards the IA-64 processor running either NT/Win2K or Linux. That means that it's unlikely that new firewall vendors supporting IRIX would jump into the market. The positive side effect is that SGI is actively contributing code (and hopefully people) to add things like kernel-level auditing to Linux. For an example, see http://oss.sgi.com/projects/ob1 . As always, my employers are paying me to perform Real Work, not to have opinions... so these are mine, on my own time. [0] Of course, once the "hard candy shell" is established, don't forget about the "soft chewy center"--do reasonable things to secure the IRIX boxen against abuse or attack by local users and other boxes on the internal network. Rip Loomis Voice Number: (410) 953-6874 -------------------------------------------------------- Senior Security Engineer Center for Information Security Technology Science Applications International Corporation http://www.cist.saic.com
-----Original Message----- From: George Jones [mailto:gjones () mail argfrp us uu net] Sent: Wednesday, November 29, 2000 9:51 AM To: Craig T. Hancock Cc: firewall-wizards () nfr net Subject: Re: [fw-wiz] irix firewalls "cth" == Craig T Hancock <craig () charlie cns iit edu> writes: cth> Hello all I was wondering if someone could cth> point in a directions I am trying to find firewall solutions cth> for an IRIX 6.5 box ^^^^ Give up and park an OpenBSD box in front of it to do firewalling ? ---George Jones _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- irix firewalls Craig T. Hancock (Nov 28)
- Re: irix firewalls George Jones (Nov 30)
- <Possible follow-ups>
- RE: irix firewalls Loomis, Rip (Nov 30)