I agree with one caveat - it depends on the level of security
provided by the firewall. For a high security system, such as a proxy, I
agree, for a lower level of security (say a packet screen), The solaris
environment matches the level of security of the firewall. Therefore, would
I run a Gauntlet on Solaris, no. Would I run Fireball-1 on Solaris 2.5, maybe.
At 22:49 96/04/10 -0500, the sage, Jeff Maddox, uttered these words:
(>All, first I apologize for the length but the context of this is important.
(>Also, I would really prefer not to start either a flame or religious war. I
(>have a group of young SysAdmins who want to migrate all their Sun boxes to
(>the same OS (Solaris 2.5 if they can get all their software to run on it,
(>2.4 if not).
(>While I do not argue against the conversion of their general purpose or
(>database servers to the same OS, I have real concern about moving the
(>special purpose single function servers that perform the authentication,
(>packet filtering and proxying (proxying?).
(>At present we are running stripped, hardened versions of SunOS 4.1.4 and we
(>have patched, moded and cleaned it to the max. While we know that the best
(>solution is to have a kernel with source code, it wouldn't help as these
(>guys (me too as I am not in that class of firewall
(>engineer[yet]:-).)couldn't analyze it anyway. I, and others, are willing to
(>trust the many people who have identified vulnerabilities and fixes in 4.1.4.
(>My argument is that for these purposes you would have to strip Solaris to
(>the bone anyway to close unnecessary potential holes and the act of striping
(>Solaris is fraught with failure potential as no one I know is really certain
(>about everything that could smack the server by being removed or what could
(>be removed without killing it or making it unbootable. Also, the kernel is
(>so complicated (I have been told, again without source, who can tell except
(>by the size of the binary. A guess at best) that, I believe, potential holes
(>must be there.
(>However, the context is that of special purpose security servers that run
(>one or a few small processes. What would Solaris posses that would make it
(>more, or even as, secure in this specific instance?
(>The final point is, we are also not talking about forever, just a year or
(>two to allow you and the rest of the real beta, secure, OS testers to find
(>and alert us and Sun to the potential holes and fixes.
(>If I am off base then I would appreciate clarification, if not, evidence to
(>allow me to end this controversy and get them moving on more important
(>Thanks in advance.
(>Man is the only animal that can remain on friendly terms with the victims he
(>intends to eat until he eats them.
(>3102 Bee Caves Rd Suite A
(>Austin, TX 78746
(>Phone (512) 329-5731
(>FAX (512) 329-5726
(>Pager (800) 506-5617
(>E-Mail jeff .
( ( | ( Chris Liljenstolpe <Chris .
) ) (| ), inc. SSDS, Inc; 8400 Normandale Lake Blvd.; Suite 993
business driven Bloomington, MN 55437;
technology solutions TEL 612.921.2392 FAX 612.921.2395 Fram Fram Free!
PGP Key 1024/E8546BD5 FE 43 BD A6 3C 13 6C DB 89 B3 E4 A1 BF 6D 2A A9