[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: compilers on firewall boxen??



Ken,

well - if we look at what type of attack you are afraid that someone might launch on you.

The good thing about having a compiler and doing a source upgrade of the operating system is that in order to launch an attack on you - someone will have to make an attack on the entire OpenBSD community to get vulnerable source code into the source tree in order to launch an attack on you. If that should happen - you can bet almost anything that you WILL here about it when someone finds out.

The next good thing with having access to the source is that you will have a much easier time keeping up to date with STABLE which will help minimizing bugs on your system.

What are your (real) alternatives? You can use another box to compile the source from but that is just another complexity distributing code between computers. If you have lots of servers this is probably your preferred alternative, at least from a userabilty perspective.

You can ftp releases from your favourite ftp server instead of compiling code! If you do - you are much more vulnerable to ip/dns-spoofing attacks leading you to download the wrong packages. With cvs (over ssh) you will get noticed if the ssh host key will change and this can definitely be a clue that something that shouldn't happen has happened. FTPing only makes it almost impossible to keep track with STABLE since you only have the option of going with the latest release or go with current. And you most likely don't want to go with current in a production environment.

The last problem is the same if you buy and install from cd releases. You should probably buy cd's anyway because it feels good to support the community and makes fresh installation easier. You won't have the problem with ip/dns spoofing as with ftp and you can't keep up to date with STABLE.

Conclusion: You probably want to have a compiler somwhere. If you don't have lots of users on your firewall (it's a mailserver or something as well) then there are lots of easier attacks to do than to do an attack involviing a compiler on the firewall. If you have lots of openbsd boxes - choose one as your compile box and update the other boxes from that (copying binaries to keep track from RELEASE to STABLE).

regards

//johan

--On söndag 16 mars 2003 21.14 -0700 Ken Gunderson <[email protected]> wrote:

Hello:

Apologies is this is a bit off topic for pf, but I wanted to get the
OpenBSD firewall gurus opinions.  What is the preferred method for
keeping an OpenBSD firewall boxen patched and the os upgraded?

It's generally not considered "best practice" to have compilers
available on security sensitive applications.  Patches can be compiled
inot binaries on a secure box and copied to production boxen, but os
upgrades can get a bit unweildy with this approach.  So this seemsm to
leave doing install and selecting upgrade option, and merging /etc....
Or one can cvsup the source tree and compile.  The latter is what I
usually do, as I feel pretty confident that OpenBSD isn't going to get
hacked, but am curious as to what others think w.r.t. boxes that might
be of special interest to the black hats...

TIA--

--
Best regards,

Ken Gunderson
PGP Key-- 9F5179FD

"As we enjoy great advantages from inventions of others, we should be
glad of an opportunity to serve others by any invention of ours; and
this we should do freely and generously." 	--Benjamin Franklin