Firewall Wizards mailing list archives

RE: irix firewalls

From: "Loomis, Rip" <GILBERT.R.LOOMIS () saic com>
Date: Wed, 29 Nov 2000 11:49:58 -0500

Craig--
I was waiting to see if anyone else knew of any
alternatives...but I would tend to agree with
George's solution.  In the general case, put
something designed for security between the
IRIX box(en) and potential threats.  That's
the same rule as for practically any general-
purpose OS, though. [0]

A possibly more helpful answer:
During the last go-round at security products
for IRIX I did (roughly 18 months ago) there
were no commercial firewall vendors actively
supporting IRIX--at best someone had a old
version which they claimed would run on IRIX
6.x, but their 6.x usually meant 6.2.  The
changes between 6.2 and 6.5 are significant,
and I would question how well firewall
products for 6.2 will perform their functions
on 6.5.x.

IPFilter ( http://coombs.anu.edu.au/~avalon/ip-filter.html )
states that it runs on 6.2, but I'm not aware
of anyone having gotten it running on 6.5.
You might do a quick search or post to the
IPFilter mailing list for help on that--and
let me know if you get it running on 6.5.

Other info might be found in an IRIX Security FAQ:
  http://www-viz.tamu.edu/~sgi-faq/faq/html-1/security.html

A specific entry on IRIX firewalls (from 1996!)
  http://www-viz.tamu.edu/~sgi-faq/faq/html-1/security.html#10
basically says that TIS Gauntlet was still then
available for IRIX--but I can't find any sign
of it on NAI's current supported list.  The
TIS FWTK is potentially still an option if
the license terms are acceptable, but do keep
in mind that FWTK is showing some age.
I took a quick look at the FWTK un-official
site (start at http://www.fwtk.org/ ) and couldn't
find anything specific about support for IRIX 6.5.

Note on SGI security:
I was involved in architecting a fairly
significant SGI installation for a security-
conscious portion of the US Government, and
we're doing the Common Criteria evaluation of
SGI IRIX, and having crawled inside IRIX I like
it (from a security perspective) a lot more than
I did 3 years ago.  My perception is that SGI
has lately been doing smart things to
improve security, and has probably "turned
the corner"--but there are still issues.
By the time one strips all the SetUID root
"neato whizbang" binaries off an SGI box, it's
not always convincing to me that there's a big
advantage to the SGI hardware over Sun/HP/Deq.
As always, though, the choice of a proprietary
UNIX is partially determined by the local
expertise, experience with vendor service,
installed hardware base, yada yada yada.

Note that as with Sun and other vendors, SGI is
somewhat constrained in how much they can improve
the security of a default install without breaking
certain functions that existing installations
rely upon.  That's what keeps hordes of
integrators and consultants busy, as well as
giving sysadmins less hair and more gray ones.

SGI corporately (again, my perception) seems
to be also moving away from IRIX and MIPS, and
towards the IA-64 processor running either
NT/Win2K or Linux.  That means that it's
unlikely that new firewall vendors supporting
IRIX would jump into the market.  The positive
side effect is that SGI is actively contributing
code (and hopefully people) to add things like
kernel-level auditing to Linux.  For an example,
see http://oss.sgi.com/projects/ob1 .

As always, my employers are paying me to
perform Real Work, not to have opinions...
so these are mine, on my own time.

[0] Of course, once the "hard candy shell" is
    established, don't forget about the "soft
    chewy center"--do reasonable things to
    secure the IRIX boxen against abuse or
    attack by local users and other boxes on
    the internal network.

Rip Loomis              Voice Number: (410) 953-6874
--------------------------------------------------------
Senior Security Engineer
Center for Information Security Technology
Science Applications International Corporation
http://www.cist.saic.com

-----Original Message-----
From: George Jones [mailto:gjones () mail argfrp us uu net]
Sent: Wednesday, November 29, 2000 9:51 AM
To: Craig T. Hancock
Cc: firewall-wizards () nfr net
Subject: Re: [fw-wiz] irix firewalls


 "cth" == Craig T Hancock <craig () charlie cns iit edu> writes:

cth> Hello all I was wondering if someone could 
cth> point in a directions I am trying to find firewall solutions 
cth> for an IRIX 6.5 box
            ^^^^

Give up and park an OpenBSD box in front of it to do firewalling ?

---George Jones

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

irix firewalls Craig T. Hancock (Nov 28)
- Re: irix firewalls George Jones (Nov 30)
- <Possible follow-ups>
- RE: irix firewalls Loomis, Rip (Nov 30)