> A request has been made to install perl on the firewall. (It would
> run some system audit routines, bring it in line with the rest of the
> internal unix systems.) Given the choice, I'd rather not. Why give
> the hackers yet another tool to use when they break into the firewall?
> I wouldn't put a C compiler on the system for the same reason. The
> argument for installing perl is that it's much more "secure" than
> something like C, and no more insecure than shell scripts.
I happen to think there's too much you can do implictly with perl to even
think about this -- creating network connections, potential trojan horse
binaries, etc.
Why not rsync/ssh them off the box onto a Linux log server, and
parse/process the logs from there? For $99 bucks you can set up a low-end
pentium with OpenSSH and the rsync rdist replacement, and process the logs
on a machine protected by that same firewall instead. Redirect your
iostat/vmstat/sar/other monitoring output to a file, and copy it off the
box. Certainly they'll need to be copied off the firewall to be viewed
anyway...
I'm sure some will say that if you remove the suid perl, and make sure to
keep up with the system updates, it'll be okay.
Dave
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
