Firewall Wizards: Hardening, (was Re: chroot useful?)

["Marcus J. Ranum" <mjr () nfr net>]

Rick Murphy writes:
> I only know the details of a couple of firewall products well enough to
> say that the "hardened OS" really isn't -
I share Rick's experience. "Hardening" the O/S usually means
something like:
        - we deleted some of the obvious binaries someone might use
        - we shut down a bunch of run-time servers from inetd.conf
        - we shut down a bunch of stuff from /etc/rc.boot
        - we may have done a few kernel hacks like the ones I talk
                about, but probably not
        - we added something like tripwire

There was one vendor that used to sell a "hardened" firewall
on a specially secured UNIX O/S -- basically it was a bait and
switch: they had done a lot of work for a long time on NSA
funded secure O/S' but the firewall was BSD with a few bits
of the secure O/S technology stapled onto the side in a paper
bag.

Back when I worked for a vendor that sold workstations running a
BSD-derived version of UNIX, the sales droids would often tell
customers things like "It's BSD-based, but we fixed all the bugs."
I actually heard on sales droid from one firewall vendor claim that
"It runs on FreeBSD/Linux/BSDI/you guess, but we fixed all the
bugs." Maybe that's what they mean when they say "hardened"  :)

I'm not convinced that hardening the O/S is worthwhile. If you are
going to go that far, just do away with the O/S entirely and replace
it with a simple program loader and bootstrap. DOS, for example.
When Network-1 came out with a DOS-based firewall years ago
a lot of folks gave them a hard time. I thought it was terrific design
because you know it's either going to work, or lock up solid. It's
all really a kind of nitpick point anyhow, since the most likely failure
mode for the firewall is going to be user configuration errors
or the incoming traffic problem.

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr