On Wed 27-October, Marcus J. Ranum wrote (id <3.0.6.32.19991027211307.007cc1c0at_private>): % %>Can anyone suggest resources or sites with info on securing a UNIX system %>for installation of a firewall. % %I used to believe in "stripping" operating systems. Now I believe %in "building" them. Rather than removing what I think may be bad, %I prefer to start with a bootstrap loader and add the things I %need. :) % %The NFR appliance (which I happened to do the first round of %system integration for) was built in the manner described above. %I took the bootstrap, added a kernel and filesystem, a minimum %of devices, and then coded my own version of init and everything %above kernel space. This is the same design methodology which we used in our Firebox. But, we don't have any filesystems which are for generic use. We use compressed read-only images which we uncompress during startup. This way, there is never filesystem "state" to worry about. I agree that this the best way to design a secure system, but you may say that I have a bias... -chrisb -- Chris Boscolo chris.boscoloat_private Software Development Manager, Security Technologies WatchGuard Technologies (206) 521-8348
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:45:45 PDT