[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: My own Firewall ??

On 11 Mar 2005, JM wrote:
>> When you say you tried it, how did you test?
>
> I probably made a premature comment. Nessus probings, for example,
> were ok for me before trying this kernel. Maybe other friends with
> more experience can say something. What specific tests are you
> referring to?

Basically, my question was:  did you do any specific security assessment
of the new kernel/OS, or did you simply install it and verify that it
booted?

If you had done specific security testing, I could note that (and your
results, and ideally methodology) down, and not pay so much attention to
it if I did decide to evaluate this for a client of mine (or home use. :)

[...]

> 	- grSecurity 2.0.1

This seems to be a mixed bag, some of which is good and some, possibly
most, of which isn't.

There has been a push to get some parts of this into the mainline kernel
recently, and pretty much each attempt save one has been bounced as
insufficient, or not actually helpful.

> 	- Net-dev-random for 2.6.7.
> 	- Net-dev-random-drivers for 2.6.7.

IIRC, the network random changes from grSecurity were judged to reduce
overall randomness in the network stack by David Miller and the core
network team.

> 	- SELinux PaX hooks for 2.6.7.

There was a recent security announcement from the PaX team on Bugtraq
that ended the line of development, after a serious flaw in their
security model rendered machines considerably open, I note...

[...]

> 	- Openswan 2.3.0dr2 (improved IPSec stack).

This is a dead end, unless they have changed tack recently:  the
official IPSec stack in 2.6 is based on the one Linus and David Miller
developed.  Using it now seems ... effort without significant gain.

> 	- Fortuna CSRNG.

Every time this comes up on linux-kernel, it gets bounced, because there
isn't any significant security gain to it.

[...]

Overall, I can't say that any of those compel me toward the project,
other than the CAN, etc, bugfixes.  I hope they pushed those to the
mainline kernel as well. ;)

OTOH, I wasn't impressed by the general principal, to start with, so
maybe I judge this project more harshly than I should.  Who knows.

At least the idea of improving security in general is good, and I like
to see work done on it.

> If you are referring to bastille, I think is a good program. Never had
> any problems with it.  Just a little thing here and there, like creating
> some sort of directory it needed and the like.  I believe some of the
> options need to be carefully considered.

Looking at the description, it could be.  Still, I shouldn't judge it
based on the poor experiences of one person, I guess. :)

      Daniel
-- 
The modern conservative is engaged in one of man's oldest exercises
in moral philosophy; that is, the search for a superior moral
justification for selfishness.
        - J.K. Galbraith
Reply to: