Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

Re: chroot useful?
From: mcnabb () argus-systems com (Paul McNabb)
Date: Mon, 17 Nov 1997 17:27:17 -0600
 From: Darren Reed <darrenr () cyber com au>

 > >So, how many firewalls out there implemented with any of the common
 > >operating systems (be they free or commercial) actually do this ?
 >
 > Why not ask them.  Many claim to run "hardened" versions of
 > BSD or LINUX.  Vulnerabilites and exploits are well publicized,
 > and many of the developers read these lists.   I doubt many
 > are going to be so arrogant as to take a NIH approach to something
 > Marcus has contributed to the state of the technology ;-)

 Well, the majority of the firewall market doesn't run on a "hardened"
 version of the OS because that's not what FW-1 uses.

 What % of the market do those selling hardened OS's make up ?

 
I get a bit confused, and I suspect I'm not alone, about the use of the
term "hardened OS".  To me, a hardened OS is a modified OS, not just a
well-configured system (meaning tightened up and stripped down).  I would
classify Sidewinder as a "hardened OS", and Firewall-1 on Solaris with
the Argus B3 extensions would be "hardened".  I would also put into this
category those firewalls running on Linux systems where the kernel has
been modified for improved security.
 
Offhand, I can think of only two areas where hardening the underlying
OS helps:
 
1) protecting against daemon/proxy flaws, such as stack overwrite bugs,
that would allow an attacker to get a daemon/proxy to do something it
wasn't designed to do,

2) separating administration activities from firewall services, such as
when the firewall is administered via a network interface.

Packet filtering firewalls offering no network services and that are
administered via the console see only marginal benefit from a "hardened"
OS.  The more the firewall is doing in user space, the more chance there
is for a problem and the more a hardened OS will help.

IMHO, stripping down a system by removing unnecessary utilities, services,
and processes reduces the chances of leaving a hole open and is absolutely
essential for making a firewall "secure", but it does little towards making
the remaining services more secure.

paul

---------------------------------------------------------
Paul McNabb                     Argus Systems Group, Inc.
Vice President and CTO          1809 Woodfield Drive
mcnabb () argus-systems com        Savoy, IL 61874 USA
TEL 217-355-6308
FAX 217-355-1433                "Securing the Future"
---------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]