[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: compilers on firewall boxen??



On Monday 17 March 2003 06:40 am, Johan Allard wrote:
> Ken,
>
> well - if we look at what type of attack you are afraid that someone
> might launch on you.
>
> The good thing about having a compiler and doing a source upgrade of
> the operating system is that in order to launch an attack on you -
> someone will have to make an attack on the entire OpenBSD community
> to get vulnerable source code into the source tree in order to launch
> an attack on you. If that should happen - you can bet almost anything
> that you WILL here about it when someone finds out.
>
> The next good thing with having access to the source is that you will
> have a much easier time keeping up to date with STABLE which will
> help minimizing bugs on your system.
Yes, this is what i do presently.  i have half a dozen or so OpenBSD 
boxes and will probably bring a couple more on line in the near future, 
some of which are a bit long in the tooth hardwarewise, but hey, they 
just keep on chugging.  Compiling source tree can take a while 
though...
So compiling on a faster machine and distributing to slower boxes has 
some advantages w.r.t. compile time on these older boxen.  On some of 
my FreeBSD boxes I can buildworld on non production box, then nfs mount 
/usr/obj and installworld, but these OpenBSD boxes are not all on the 
same lan and I wouldn't want to do this over the net.  Guess I could 
set up vpn...
> What are your (real) alternatives? You can use another box to compile
> the source from but that is just another complexity distributing code
> between computers. If you have lots of servers this is probably your
> preferred alternative, at least from a userabilty perspective.
Somewhat of a pita, and I am wondering if it is worth the trouble and 
what others are doing in OpenBSD land....
> You can ftp releases from your favourite ftp server instead of
> compiling code! If you do - you are much more vulnerable to
> ip/dns-spoofing attacks leading you to download the wrong packages.
> With cvs (over ssh) you will get noticed if the ssh host key will
> change and this can definitely be a clue that something that
> shouldn't happen has happened. FTPing only makes it almost impossible
> to keep track with STABLE since you only have the option of going
> with the latest release or go with current. And you most likely don't
> want to go with current in a production environment.
doable, but not a preferred option for the reasons you point out.
> The last problem is the same if you buy and install from cd releases.
> You should probably buy cd's anyway because it feels good to support
> the community and makes fresh installation easier. You won't have the
> problem with ip/dns spoofing as with ftp and you can't keep up to
> date with STABLE.
Which puts us back to either having compiler tool chain available or 
distributing binaries to keep boxes patched.
> Conclusion: You probably want to have a compiler somwhere. If you
> don't have lots of users on your firewall (it's a mailserver or
> something as well) then there are lots of easier attacks to do than
> to do an attack involviing a compiler on the firewall. If you have
> lots of openbsd boxes - choose one as your compile box and update the
> other boxes from that (copying binaries to keep track from RELEASE to
> STABLE).
Definitely want to have a compiler somewhere....;-)  The firewall boxen 
only have a couple admin users and these guys are trusted, so I am not 
worried about authorized users abusing the compiler tool chain.
My main concern about having compiler on a firewall is that in unlikely 
event somebody does gain unauthorized access, not having a compiler 
tool chain available impedes further mischief to some degree.  But with 
only 1 remote hole in nearly 7 years...  i am not so concerned about 
this with OpenBSD;-)  Taking a defense in depth stance, however, makes 
me wonder if I should be so brazen.
It seems easiest all around to just track stable and compile on each 
individual machine via cron job that runs in the wee hours.  But 
perhaps some slight additional security gained by not having compiler 
available on every box.
So I am wondering how others handle this issue and if there is best 
practice recommendation w.r.t. OpenBSD.
Thanks bunches for your response.
-- 
Best regards,
Ken Gunderson
PGP Key-- 9F5179FD
"As we enjoy great advantages from inventions of others, we should be 
glad of an opportunity to serve others by any invention of ours; and 
this we should do freely and generously." 	--Benjamin Franklin