SLUG Mailing List Archives
Re: [SLUG] Firewall security audit report
- To: Scott Howard <scott@xxxxxxxxxx>
- Subject: Re: [SLUG] Firewall security audit report
- From: Umar Goldeli <umar@xxxxxxxxxxxxxx>
- Date: Wed Feb 28 10:24:01 2001
- Cc: chesty <chesty@xxxxxxxxxx>, SLUG Mailing list <slug@xxxxxxxxxxx>
> The good old firewall audit... Yet to find an auditor who returns a
> worthwhile report...
It is only too true... most "auditors" are not very useful.. *sigh*
> Of course, you could just upload something into a different partition which
> is read-write (/etc maybe?), but given that we're talking about a firewall,
> every little bit helps! The fact that some script kiddie can't just run
But Scott, then you mount /etc noexec. ;)
> In particular, you should make sure you have as few suid/sgid programs
> installed. Even programs which normally need SUID to run can probably
> have it dropped - it just means you need to run them as root.
There are pros and cons of this - there is very little on a firewall that
needs to run as root when you think about it. The one binary in particular
that shits me is ssh - remove the SUID bit on it..*sigh*
Also, mount anything and everythig you can nosuid.
> Doing all of the above might mean that your firewall is now (say) 2% more
> secure. If this was any other machine, you probably wouldn't be to worried
> by such a small improvement, but when you're talking about a firewall,
> every last thing helps!
Indeed. A lot of people say security through obscurity is not worth it -
but it is - it buys you time.. whether it's a week or 10 seconds - it's
time.. well worth it. (There are actual formulae whihc can help you with
cost/benefit/risk analysis, but these aren't exactly too useful).
> Some of the above may fit into the security-by-obsecurity category, but
> as far as I'm concerned, security by obsecurity never hurts - as long as
> you're not relying on it as your primary defence. We live in a world
> where exploits to the latest bugs are in the hands of the "hackers" of
> the world within hours of the bugs being found. If your extra security
> measures mean that the default exploit fails on your machine because
> /usr is mounted read-only, or because /usr/bin/lpr isn't install on
> your machine then they will move onto the next machine - even if yours
> is still vulnerable to the bug using a different exploit! Hopefully
> by the time a "real" "hacker" decides to try your box, you'll have had
> time to fix the hole.
> Our standard Solaris build for a server which sits on the internet (not
> actually a firewall, but similar) contains about 50 megs total. It listens
> on a single port (ssh, but not on port 22), has two SUID binaries (su, and
> something else which i forget), has /usr mounted readonly and every other
> partition mounted nosuid, and only runs about a dozen processes (plus
> any for whatever the machine is for of course :)
Sounds like a good plan.. I see way too many companies without a standard
tightened build for unix boxen.. it also makes life easier for admins.