Firewalls: Re: Securing down a box for a firewall

Firewalls
(June 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Securing down a box for a firewall
From:	"Robert Augustine" <robert @ dresden . com>
Date:	Thu, 12 Jun 1997 11:46:40 -0400
To:	"Sameer R. Manek" <manek @ challenger . atc . fhda . edu>, "Greg Witte" <gwitte @ us-state . gov>, "firewalls-owner @ GreatCircle . COM" <firewalls-owner @ GreatCircle . COM>
Cc:	"'firewalls @ greatcircle . com'" <firewalls @ GreatCircle . COM>

Sameer,

    Using proper file permissions and setting group's accordingly can allow
you to limit who has access to what.  Say you only want people who are in
group staff to have the ability to execute the compiler and linker's etc. 
You would chmod the file's so only the owner, and group could execute them,
change the group to 'staff'(staff has to be in /etc/group btw) make sure
everybody you want to be able to execute the program is either group staff,
or has an entry in /etc/group.  You can go through your whole system and
setup levels of permissions, and then change the permissions and group's
accordingly allowing who you want to have access to what you want. 
Remember also that, for an example, people could be a member of staff, and
also openwin(a group made up so that only people in it could execute and/or
read/write files that have to deal with X11(or whatever X system you run.) 
Their are ways to get around everything, wether high end firewalls, or low
end web servers, to have the greatest amount of protection you should
implement it from the top and work all the way to the bottom.  Remember
your only secure as your network's weakest point.  However if any of the
accounts that have access to the compilers, etc. are compromised their is
nothing stopping the person from running the programs that they have access
to.

--
Robert Augustine                   Networking                     dresden.
4045 Loch Highland Pass    Programming                 com
Roswell, GA 30075               Security                          
Corporation
P:(770)642-8569                    robert @
 dresden .
 com





----
From: Sameer R. Manek <manek @
 challenger .
 atc .
 fhda .
 edu>
To: Greg Witte <gwitte @
 us-state .
 gov>
Cc: 'firewalls @
 greatcircle .
 com' <firewalls @
 GreatCircle .
 COM>
Date: Wednesday, June 11, 1997 9:30 PM
Subject: Securing down a box for a firewall

>I'm curious what is considered striping down a box? I can understand the
>obvious stuff like /usr/games, and maybe a few binaries in  /bin and
>/usr/bin, along with most setuid binaries. Possibly even remove the
>compiler, though compiling on an alternate box is real easy. So what can
>be done? top strip it down?
>
>

Follow-Ups:

Re: Securing down a box for a firewall
From: Brian Mitchell <brian @ saturn . net>

Indexed By Date	Previous:	Re: Simple firewall? From: Hannu Laurila <Hannu . Laurila @ japo . fi>
Indexed By Date	Next:	Re: Redundant _remote_ firewalls From: Bill Stout <stoutb @ pios . com>
Indexed By Thread	Previous:	Re: Securing down a box for a firewall From: "Marcus J. Ranum" <mjr @ nfr . net>
Indexed By Thread	Next:	Re: Securing down a box for a firewall From: Brian Mitchell <brian @ saturn . net>