Firewalls: Re: IBM Firewall

Firewalls
(June 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: IBM Firewall
From:	Ian Gresley-Jones <ian @ martel . demon . co . uk>
Date:	Thu, 13 Jun 1996 14:15:40 +0100
To:	Gene Lee <genel @ inforamp . net>, firewalls @ greatcircle . com
Cc:	"'Adam Shostack'" <adam @ homeport . org>
In-reply-to:	<01BB4EFE . A40A0380 @ ts47-15 . tor . iSTAR . ca>

In reply to Adam's comments below - there is an integrity checker in AIX 
v3.??? (3.2.5 and some earlier) called tcbck. It is possible without too 
much trouble to make it use md5 (forgotten the details - if anyone is 
interested I'll dig out some notes) so it can be useful, even if not as 
flexible as Tripwire. I don't know how much this is used is SNG by 
default, but I've set it up in a variety of ways (varying from once 
every 10 seconds for a short list of critical files, to once daily for a 
full filesystem check ....).

< Gene said...>
>If there anyone out there has experience with SNG, any criticisms of the product are 
>more than welcome (either via the mailing list or direct e-mail to me). I'm creating a 
>"To Do" list for the developers in Raleigh for subsequent versions of the Firewall. 

That's good news Gene - Hey OtherSuppliers - take note !!! 
>
>genelee @
 vnet .
 ibm .
 com
>
<Adam said...>
>Something like tripwire or L5 would be nice.  I know thers an
>integrity checker in /etc/security/? (Been a while since I used AIX),
>but theres no docs for it, and I dont think it supports MD5 or SHA1.

The docs are there in 'info', but as seems standard for IBM they are 
not as complete, consistent or even in some cases correct as they might
be - here's one for the Raleigh boys to improve on Gene !

>
>Most of the other shortcomings I saw were in the manual; not talking
>about stripping out un-needed services, not talking about reducing
>permission levels on sendmail & rdist, and the rest of them.

Agreed, AIX is a monstrous beast and needs a bare bones installation
with very careful configuration. IBM should provide some details of the 
lengths they go to in stripping out or switching off the nasties, and 
what they do with things like sendmail (very old version as standard in 
3.2.5). 
What about monitoring (the audit subsystem is useful - what use is made 
of it), intrusion detection etc.

I admit I only saw some basic info on an early version of the product, 
maybe more info is available, but they do keep it quiet. Tell us more
Gene....

Regards

Ian 
********************************************************************
Ian Gresley-Jones              * Protek Warrington (UK) 01925 240340
<igjones @
 proteknw .
 demon .
 co .
 uk> *  or    Maidenhead (UK) 01628 75959
or <ian @
 martel .
 demon .
 co .
 uk>    * 
-- speaking for myself only -- *                              ZZR600
********************************************************************

Follow-Ups:

Re: IBM Firewall
From: Adam Shostack <adam @ homeport . org>
Re: IBM Firewall
From: Dave Roberts <djr @ saa-cons . co . uk>

Indexed By Date	Previous:	Re: Round-robin DNS? From: "Simon J. Gerraty" <sjg @ zen . void . oz . au>
Indexed By Date	Next:	Re: IBM Firewall From: Dave Roberts <djr @ saa-cons . co . uk>
Indexed By Thread	Previous:	Ftp-gw fails to connect From: Alessandro Coelho Ribeiro <sandro @ cos . ufrj . br>
Indexed By Thread	Next:	Re: IBM Firewall From: Dave Roberts <djr @ saa-cons . co . uk>